Update Bind to 9.9.3-P2

Notable new features:

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

*  Introduces a new tool "dnssec-verify" that validates a signed zone,
   checking for the correctness of signatures and NSEC/NSEC3 chains.
   [RT #23673]

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.

Approved by:	delphij (mentor)
MFC after:	3 days
Sponsored by:	DK Hostmaster A/S

1 files changed, 78 insertions, 2 deletions

diff --git a/contrib/bind9/lib/dns/private.c b/contrib/bind9/lib/dns/private.c
index b0cb96f..6521279 100644
--- a/contrib/bind9/lib/dns/private.c
+++ b/contrib/bind9/lib/dns/private.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -44,6 +44,7 @@
 
 #define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
 #define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
 #define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
 
 #define CHECK(x) do {					\
@@ -149,7 +150,7 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 	}
 
 	/*
-	 * Look to see if we also need to be creating a NSEC3 chains.
+	 * Look to see if we also need to be creating a NSEC3 chain.
 	 */
 	if (dns_rdataset_isassociated(&nsecset)) {
 		if (build_nsec != NULL)
@@ -293,3 +294,78 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 		dns_db_detachnode(db, &node);
 	return (result);
 }
+
+isc_result_t
+dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
+	isc_result_t result;
+
+	if (private->length < 5)
+		return (ISC_R_NOTFOUND);
+
+	if (private->data[0] == 0) {
+		unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_nsec3param_t nsec3param;
+		isc_boolean_t remove, init, nonsec;
+		isc_buffer_t b;
+
+		if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
+						sizeof(nsec3buf)))
+			CHECK(ISC_R_FAILURE);
+
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		remove = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
+		init = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0);
+		nonsec = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_NONSEC) != 0);
+
+		nsec3param.flags &= ~(DNS_NSEC3FLAG_CREATE|
+				      DNS_NSEC3FLAG_REMOVE|
+				      DNS_NSEC3FLAG_INITIAL|
+				      DNS_NSEC3FLAG_NONSEC);
+
+		if (init)
+			isc_buffer_putstr(buf, "Pending NSEC3 chain ");
+		else if (remove)
+			isc_buffer_putstr(buf, "Removing NSEC3 chain ");
+		else
+			isc_buffer_putstr(buf, "Creating NSEC3 chain ");
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, newbuf, sizeof(newbuf));
+		CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
+					   dns_rdatatype_nsec3param,
+					   &nsec3param, &b));
+
+		CHECK(dns_rdata_totext(&rdata, NULL, buf));
+
+		if (remove && !nonsec)
+			isc_buffer_putstr(buf, " / creating NSEC chain");
+	} else if (private->length == 5) {
+		unsigned char alg = private->data[0];
+		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
+		char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
+		isc_boolean_t remove = ISC_TF(private->data[3] != 0);
+		isc_boolean_t complete = ISC_TF(private->data[4] != 0);
+
+		if (remove && complete)
+			isc_buffer_putstr(buf, "Done removing signatures for ");
+		else if (remove)
+			isc_buffer_putstr(buf, "Removing signatures for ");
+		else if (complete)
+			isc_buffer_putstr(buf, "Done signing with ");
+		else
+			isc_buffer_putstr(buf, "Signing with ");
+
+		dns_secalg_format(alg, algbuf, sizeof(algbuf));
+		sprintf(keybuf, "key %d/%s", keyid, algbuf);
+		isc_buffer_putstr(buf, keybuf);
+	} else
+		return (ISC_R_NOTFOUND);
+
+	isc_buffer_putuint8(buf, 0);
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}