Import ISC DHCP 3.0.1 RC6 client.

16 files changed, 6327 insertions, 0 deletions

diff --git a/contrib/isc-dhcp/minires/Makefile.dist b/contrib/isc-dhcp/minires/Makefile.dist
new file mode 100644
index 0000000..b6bf088
--- /dev/null
+++ b/contrib/isc-dhcp/minires/Makefile.dist
@@ -0,0 +1,69 @@
+# Makefile.dist
+#
+# Copyright (c) 1996-2000 Internet Software Consortium.
+# Use is subject to license terms which appear in the file named
+# ISC-LICENSE that should have accompanied this file when you
+# received it.   If a file named ISC-LICENSE did not accompany this
+# file, or you are not sure the one you have is correct, you may
+# obtain an applicable copy of the license at:
+#
+#             http://www.isc.org/isc-license-1.0.html. 
+#
+# This file is part of the ISC DHCP distribution.   The documentation
+# associated with this file is listed in the file DOCUMENTATION,
+# included in the top-level directory of this release.
+#
+# Support and other services are available for ISC products - see
+# http://www.isc.org for more information.
+#
+
+CATMANPAGES = dhcpctl.cat3
+SEDMANPAGES = dhcpctl.man3
+MAN    = dhcpctl.3
+SRC    = res_mkupdate.c res_init.c res_update.c res_send.c res_comp.c \
+	 res_sendsigned.c res_findzonecut.c res_query.c res_mkquery.c \
+	 ns_date.c ns_parse.c ns_sign.c ns_name.c ns_samedomain.c ns_verify.c
+OBJ    = res_mkupdate.o res_init.o res_update.o res_send.o res_comp.o \
+	 res_sendsigned.o res_findzonecut.o res_query.o res_mkquery.o \
+	 ns_date.o ns_parse.o ns_sign.o ns_name.o ns_samedomain.o ns_verify.o
+
+INCLUDES = $(BINDINC) -I$(TOP)/includes
+CFLAGS = $(DEBUG) $(PREDEFINES) $(INCLUDES) $(COPTS) -DHMAC_MD5 -DMINIRES_LIB
+
+all:	libres.a
+
+install:
+
+libres.a:	$(OBJ)
+	rm -f res.a
+	ar cruv libres.a $(OBJ)
+	$(RANLIB) libres.a
+
+depend:
+	$(MKDEP) $(INCLUDES) $(PREDEFINES) $(SRC)
+
+clean:
+	-rm -f $(OBJ) libres.a
+
+realclean: clean
+	-rm -f *~ $(CATMANPAGES) $(SEDMANPAGES)
+
+distclean: realclean
+	-rm -f Makefile
+
+links:
+	@for foo in $(SRC) $(MAN) $(HDRS); do \
+	  if [ ! -b $$foo ]; then \
+	    rm -f $$foo; \
+	  fi; \
+	  ln -s $(TOP)/minires/$$foo $$foo; \
+	done
+
+dhcpctl.cat3:	dhcpctl.man3
+	nroff -man dhcpctl.man3 >dhcpctl.cat3
+
+dhcpctl.man3:	dhcpctl.3
+	sed -e "s#ETCDIR#$(ETC)#g" -e "s#DBDIR#$(VARDB)#g" \
+		-e "s#RUNDIR#$(VARRUN)#g" < dhcpctl.3 >dhcpctl.man3
+
+# Dependencies (semi-automatically-generated)
diff --git a/contrib/isc-dhcp/minires/ns_date.c b/contrib/isc-dhcp/minires/ns_date.c
new file mode 100644
index 0000000..f5ef8c4
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_date.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_date.c,v 1.2 2000/04/11 01:58:39 mellon Exp $";
+#endif
+
+/* Import. */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Forward. */
+
+static int	datepart(const char *, int, int, int, int *);
+
+/* Public. */
+
+/* Convert a date in ASCII into the number of seconds since
+   1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
+   digits required, no spaces allowed.  */
+
+u_int32_t
+ns_datetosecs(const char *cp, int *errp) {
+	struct tm time;
+	u_int32_t result;
+	int mdays, i;
+	static const int days_per_month[12] =
+		{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
+
+	if (strlen(cp) != 14) {
+		*errp = 1;
+		return (0);
+	}
+	*errp = 0;
+
+	memset(&time, 0, sizeof time);
+	time.tm_year  = datepart(cp +  0, 4, 1990, 9999, errp) - 1900;
+	time.tm_mon   = datepart(cp +  4, 2,   01,   12, errp) - 1;
+	time.tm_mday  = datepart(cp +  6, 2,   01,   31, errp);
+	time.tm_hour  = datepart(cp +  8, 2,   00,   23, errp);
+	time.tm_min   = datepart(cp + 10, 2,   00,   59, errp);
+	time.tm_sec   = datepart(cp + 12, 2,   00,   59, errp);
+	if (*errp)		/* Any parse errors? */
+		return (0);
+
+	/* 
+	 * OK, now because timegm() is not available in all environments,
+	 * we will do it by hand.  Roll up sleeves, curse the gods, begin!
+	 */
+
+#define SECS_PER_DAY    ((u_int32_t)24*60*60)
+#define isleap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+
+	result  = time.tm_sec;				/* Seconds */
+	result += time.tm_min * 60;			/* Minutes */
+	result += time.tm_hour * (60*60);		/* Hours */
+	result += (time.tm_mday - 1) * SECS_PER_DAY;	/* Days */
+
+	/* Months are trickier.  Look without leaping, then leap */
+	mdays = 0;
+	for (i = 0; i < time.tm_mon; i++)
+		mdays += days_per_month[i];
+	result += mdays * SECS_PER_DAY;			/* Months */
+	if (time.tm_mon > 1 && isleap(1900+time.tm_year))
+		result += SECS_PER_DAY;		/* Add leapday for this year */
+
+	/* First figure years without leapdays, then add them in.  */
+	/* The loop is slow, FIXME, but simple and accurate.  */
+	result += (time.tm_year - 70) * (SECS_PER_DAY*365); /* Years */
+	for (i = 70; i < time.tm_year; i++)
+		if (isleap(1900+i))
+			result += SECS_PER_DAY; /* Add leapday for prev year */
+
+	return (result);
+}
+
+/* Private. */
+
+/*
+ * Parse part of a date.  Set error flag if any error.
+ * Don't reset the flag if there is no error.
+ */
+static int
+datepart(const char *buf, int size, int min, int max, int *errp) {
+	int result = 0;
+	int i;
+
+	for (i = 0; i < size; i++) {
+		if (!isdigit(buf[i]))
+			*errp = 1;
+		result = (result * 10) + buf[i] - '0';
+	}
+	if (result < min)
+		*errp = 1;
+	if (result > max)
+		*errp = 1;
+	return (result);
+}
diff --git a/contrib/isc-dhcp/minires/ns_name.c b/contrib/isc-dhcp/minires/ns_name.c
new file mode 100644
index 0000000..e815d24
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_name.c
@@ -0,0 +1,641 @@
+/*
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_name.c,v 1.1 2000/02/02 07:28:14 mellon Exp $";
+#endif
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Data. */
+
+static const char	digits[] = "0123456789";
+
+/* Forward. */
+
+static int		special(int);
+static int		printable(int);
+static int		dn_find(const u_char *, const u_char *,
+				const u_char * const *,
+				const u_char * const *);
+
+/* Public. */
+
+/*
+ * ns_name_ntop(src, dst, dstsiz)
+ *	Convert an encoded domain name to printable ascii as per RFC1035.
+ * return:
+ *	Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ *	The root is returned as "."
+ *	All other domains are returned in non absolute form
+ */
+int
+ns_name_ntop(const u_char *src, char *dst, size_t dstsiz) {
+	const u_char *cp;
+	char *dn, *eom;
+	u_char c;
+	u_int n;
+
+	cp = src;
+	dn = dst;
+	eom = dst + dstsiz;
+
+	while ((n = *cp++) != 0) {
+		if ((n & NS_CMPRSFLGS) != 0) {
+			/* Some kind of compression pointer. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if (dn != dst) {
+			if (dn >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*dn++ = '.';
+		}
+		if (dn + n >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		for ((void)NULL; n > 0; n--) {
+			c = *cp++;
+			if (special(c)) {
+				if (dn + 1 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = (char)c;
+			} else if (!printable(c)) {
+				if (dn + 3 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = digits[c / 100];
+				*dn++ = digits[(c % 100) / 10];
+				*dn++ = digits[c % 10];
+			} else {
+				if (dn >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = (char)c;
+			}
+		}
+	}
+	if (dn == dst) {
+		if (dn >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*dn++ = '.';
+	}
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*dn++ = '\0';
+	return (dn - dst);
+}
+
+/*
+ * ns_name_pton(src, dst, dstsiz)
+ *	Convert a ascii string into an encoded domain name as per RFC1035.
+ * return:
+ *	-1 if it fails
+ *	1 if string was fully qualified
+ *	0 is string was not fully qualified
+ * notes:
+ *	Enforces label and domain length limits.
+ */
+
+int
+ns_name_pton(const char *src, u_char *dst, size_t dstsiz) {
+	u_char *label, *bp, *eom;
+	int c, n, escaped;
+	char *cp;
+
+	escaped = 0;
+	bp = dst;
+	eom = dst + dstsiz;
+	label = bp++;
+
+	while ((c = *src++) != 0) {
+		if (escaped) {
+			if ((cp = strchr(digits, c)) != NULL) {
+				n = (cp - digits) * 100;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits) * 10;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits);
+				if (n > 255) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				c = n;
+			}
+			escaped = 0;
+		} else if (c == '\\') {
+			escaped = 1;
+			continue;
+		} else if (c == '.') {
+			c = (bp - label - 1);
+			if ((c & NS_CMPRSFLGS) != 0) {	/* Label too big. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (label >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*label = c;
+			/* Fully qualified ? */
+			if (*src == '\0') {
+				if (c != 0) {
+					if (bp >= eom) {
+						errno = EMSGSIZE;
+						return (-1);
+					}
+					*bp++ = '\0';
+				}
+				if ((bp - dst) > MAXCDNAME) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				return (1);
+			}
+			if (c == 0 || *src == '.') {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			label = bp++;
+			continue;
+		}
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = (u_char)c;
+	}
+	c = (bp - label - 1);
+	if ((c & NS_CMPRSFLGS) != 0) {		/* Label too big. */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	if (label >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*label = c;
+	if (c != 0) {
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = 0;
+	}
+	if ((bp - dst) > MAXCDNAME) {	/* src too big */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	return (0);
+}
+
+/*
+ * ns_name_ntol(src, dst, dstsiz)
+ *	Convert a network strings labels into all lowercase.
+ * return:
+ *	Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ *	Enforces label and domain length limits.
+ */
+
+int
+ns_name_ntol(const u_char *src, u_char *dst, size_t dstsiz) {
+	const u_char *cp;
+	u_char *dn, *eom;
+	u_char c;
+	u_int n;
+
+	cp = src;
+	dn = dst;
+	eom = dst + dstsiz;
+
+	while ((n = *cp++) != 0) {
+		if ((n & NS_CMPRSFLGS) != 0) {
+			/* Some kind of compression pointer. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*dn++ = n;
+		if (dn + n >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		for ((void)NULL; n > 0; n--) {
+			c = *cp++;
+			if (isupper(c))
+				*dn++ = tolower(c);
+			else
+				*dn++ = c;
+		}
+	}
+	*dn++ = '\0';
+	return (dn - dst);
+}
+
+/*
+ * ns_name_unpack(msg, eom, src, dst, dstsiz)
+ *	Unpack a domain name from a message, source may be compressed.
+ * return:
+ *	-1 if it fails, or consumed octets if it succeeds.
+ */
+int
+ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
+	       u_char *dst, size_t dstsiz)
+{
+	const u_char *srcp, *dstlim;
+	u_char *dstp;
+	unsigned n;
+	int len;
+	int checked;
+
+	len = -1;
+	checked = 0;
+	dstp = dst;
+	srcp = src;
+	dstlim = dst + dstsiz;
+	if (srcp < msg || srcp >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	/* Fetch next label in domain name. */
+	while ((n = *srcp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:
+			/* Limit checks. */
+			if (dstp + n + 1 >= dstlim || srcp + n >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += n + 1;
+			*dstp++ = n;
+			memcpy(dstp, srcp, n);
+			dstp += n;
+			srcp += n;
+			break;
+
+		case NS_CMPRSFLGS:
+			if (srcp >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (len < 0)
+				len = srcp - src + 1;
+			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
+			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += 2;
+			/*
+			 * Check for loops in the compressed name;
+			 * if we've looked at the whole message,
+			 * there must be a loop.
+			 */
+			if (checked >= eom - msg) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			break;
+
+		default:
+			errno = EMSGSIZE;
+			return (-1);			/* flag error */
+		}
+	}
+	*dstp = '\0';
+	if (len < 0)
+		len = srcp - src;
+	return (len);
+}
+
+/*
+ * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Pack domain name 'domain' into 'comp_dn'.
+ * return:
+ *	Size of the compressed name, or -1.
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message. The array
+ *	ends with NULL.
+ *	'lastdnptr' is a pointer to the end of the array pointed to
+ *	by 'dnptrs'.
+ * Side effects:
+ *	The list of pointers in dnptrs is updated for labels inserted into
+ *	the message as we compress the name.  If 'dnptr' is NULL, we don't
+ *	try to compress names. If 'lastdnptr' is NULL, we don't update the
+ *	list.
+ */
+int
+ns_name_pack(const u_char *src, u_char *dst, unsigned dstsiz,
+	     const u_char **dnptrs, const u_char **lastdnptr)
+{
+	u_char *dstp;
+	const u_char **cpp, **lpp, *eob, *msg;
+	const u_char *srcp;
+	unsigned n;
+	int l;
+
+	srcp = src;
+	dstp = dst;
+	eob = dstp + dstsiz;
+	lpp = cpp = NULL;
+	if (dnptrs != NULL) {
+		if ((msg = *dnptrs++) != NULL) {
+			for (cpp = dnptrs; *cpp != NULL; cpp++)
+				(void)NULL;
+			lpp = cpp;	/* end of list to search */
+		}
+	} else
+		msg = NULL;
+
+	/* make sure the domain we are about to add is legal */
+	l = 0;
+	do {
+		n = *srcp;
+		if ((n & NS_CMPRSFLGS) != 0) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		l += n + 1;
+		if (l > MAXCDNAME) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		srcp += n + 1;
+	} while (n != 0);
+
+	/* from here on we need to reset compression pointer array on error */
+	srcp = src;
+	do {
+		/* Look to see if we can use pointers. */
+		n = *srcp;
+		if (n != 0 && msg != NULL) {
+			l = dn_find(srcp, msg, (const u_char * const *)dnptrs,
+				    (const u_char * const *)lpp);
+			if (l >= 0) {
+				if (dstp + 1 >= eob) {
+					goto cleanup;
+				}
+				*dstp++ = (l >> 8) | NS_CMPRSFLGS;
+				*dstp++ = l % 256;
+				return (dstp - dst);
+			}
+			/* Not found, save it. */
+			if (lastdnptr != NULL && cpp < lastdnptr - 1 &&
+			    (dstp - msg) < 0x4000) {
+				*cpp++ = dstp;
+				*cpp = NULL;
+			}
+		}
+		/* copy label to buffer */
+		if (n & NS_CMPRSFLGS) {		/* Should not happen. */
+			goto cleanup;
+		}
+		if (dstp + 1 + n >= eob) {
+			goto cleanup;
+		}
+		memcpy(dstp, srcp, n + 1);
+		srcp += n + 1;
+		dstp += n + 1;
+	} while (n != 0);
+
+	if (dstp > eob) {
+cleanup:
+		if (msg != NULL)
+			*lpp = NULL;
+		errno = EMSGSIZE;
+		return (-1);
+	} 
+	return (dstp - dst);
+}
+
+/*
+ * ns_name_uncompress(msg, eom, src, dst, dstsiz)
+ *	Expand compressed domain name to presentation format.
+ * return:
+ *	Number of bytes read out of `src', or -1 (with errno set).
+ * note:
+ *	Root domain returns as "." not "".
+ */
+int
+ns_name_uncompress(const u_char *msg, const u_char *eom, const u_char *src,
+		   char *dst, size_t dstsiz)
+{
+	u_char tmp[NS_MAXCDNAME];
+	int n;
+	
+	if ((n = ns_name_unpack(msg, eom, src, tmp, sizeof tmp)) == -1)
+		return (-1);
+	if (ns_name_ntop(tmp, dst, dstsiz) == -1)
+		return (-1);
+	return (n);
+}
+
+/*
+ * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Compress a domain name into wire format, using compression pointers.
+ * return:
+ *	Number of bytes consumed in `dst' or -1 (with errno set).
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message.
+ *	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
+ *	array pointed to by 'dnptrs'. Side effect is to update the list of
+ *	pointers for labels inserted into the message as we compress the name.
+ *	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
+ *	is NULL, we don't update the list.
+ */
+int
+ns_name_compress(const char *src, u_char *dst, size_t dstsiz,
+		 const u_char **dnptrs, const u_char **lastdnptr)
+{
+	u_char tmp[NS_MAXCDNAME];
+
+	if (ns_name_pton(src, tmp, sizeof tmp) == -1)
+		return (-1);
+	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
+}
+
+/*
+ * ns_name_skip(ptrptr, eom)
+ *	Advance *ptrptr to skip over the compressed name it points at.
+ * return:
+ *	0 on success, -1 (with errno set) on failure.
+ */
+int
+ns_name_skip(const u_char **ptrptr, const u_char *eom) {
+	const u_char *cp;
+	u_int n;
+
+	cp = *ptrptr;
+	while (cp < eom && (n = *cp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:			/* normal case, n == len */
+			cp += n;
+			continue;
+		case NS_CMPRSFLGS:	/* indirection */
+			cp++;
+			break;
+		default:		/* illegal type */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		break;
+	}
+	if (cp > eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*ptrptr = cp;
+	return (0);
+}
+
+/* Private. */
+
+/*
+ * special(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this characted special ("in need of quoting") ?
+ * return:
+ *	boolean.
+ */
+static int
+special(int ch) {
+	switch (ch) {
+	case 0x22: /* '"' */
+	case 0x2E: /* '.' */
+	case 0x3B: /* ';' */
+	case 0x5C: /* '\\' */
+	/* Special modifiers in zone files. */
+	case 0x40: /* '@' */
+	case 0x24: /* '$' */
+		return (1);
+	default:
+		return (0);
+	}
+}
+
+/*
+ * printable(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this character visible and not a space when printed ?
+ * return:
+ *	boolean.
+ */
+static int
+printable(int ch) {
+	return (ch > 0x20 && ch < 0x7f);
+}
+
+/*
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	convert this character to lower case if it's upper case.
+ */
+static int
+mklower(int ch) {
+	if (ch >= 0x41 && ch <= 0x5A)
+		return (ch + 0x20);
+	return (ch);
+}
+
+/*
+ * dn_find(domain, msg, dnptrs, lastdnptr)
+ *	Search for the counted-label name in an array of compressed names.
+ * return:
+ *	offset from msg if found, or -1.
+ * notes:
+ *	dnptrs is the pointer to the first name on the list,
+ *	not the pointer to the start of the message.
+ */
+static int
+dn_find(const u_char *domain, const u_char *msg,
+	const u_char * const *dnptrs,
+	const u_char * const *lastdnptr)
+{
+	const u_char *dn, *cp, *sp;
+	const u_char * const *cpp;
+	u_int n;
+
+	for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
+		dn = domain;
+		sp = cp = *cpp;
+		while ((n = *cp++) != 0) {
+			/*
+			 * check for indirection
+			 */
+			switch (n & NS_CMPRSFLGS) {
+			case 0:			/* normal case, n == len */
+				if (n != *dn++)
+					goto next;
+				for ((void)NULL; n > 0; n--)
+					if (mklower(*dn++) != mklower(*cp++))
+						goto next;
+				/* Is next root for both ? */
+				if (*dn == '\0' && *cp == '\0')
+					return (sp - msg);
+				if (*dn)
+					continue;
+				goto next;
+
+			case NS_CMPRSFLGS:	/* indirection */
+				cp = msg + (((n & 0x3f) << 8) | *cp);
+				break;
+
+			default:	/* illegal type */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+		}
+ next: ;
+	}
+	errno = ENOENT;
+	return (-1);
+}
diff --git a/contrib/isc-dhcp/minires/ns_parse.c b/contrib/isc-dhcp/minires/ns_parse.c
new file mode 100644
index 0000000..27b06a1
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_parse.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_parse.c,v 1.2 2001/01/16 22:33:08 mellon Exp $";
+#endif
+
+/* Import. */
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Forward. */
+
+static void	setsection(ns_msg *msg, ns_sect sect);
+
+/* Macros. */
+
+#define RETERR(err) do { errno = (err); return (-1); } while (0)
+
+/* Public. */
+
+/* These need to be in the same order as the nres.h:ns_flag enum. */
+struct _ns_flagdata _ns_flagdata[16] = {
+	{ 0x8000, 15 },		/* qr. */
+	{ 0x7800, 11 },		/* opcode. */
+	{ 0x0400, 10 },		/* aa. */
+	{ 0x0200, 9 },		/* tc. */
+	{ 0x0100, 8 },		/* rd. */
+	{ 0x0080, 7 },		/* ra. */
+	{ 0x0040, 6 },		/* z. */
+	{ 0x0020, 5 },		/* ad. */
+	{ 0x0010, 4 },		/* cd. */
+	{ 0x000f, 0 },		/* rcode. */
+	{ 0x0000, 0 },		/* expansion (1/6). */
+	{ 0x0000, 0 },		/* expansion (2/6). */
+	{ 0x0000, 0 },		/* expansion (3/6). */
+	{ 0x0000, 0 },		/* expansion (4/6). */
+	{ 0x0000, 0 },		/* expansion (5/6). */
+	{ 0x0000, 0 },		/* expansion (6/6). */
+};
+
+int
+ns_skiprr(const u_char *ptr, const u_char *eom, ns_sect section, int count) {
+	const u_char *optr = ptr;
+
+	for ((void)NULL; count > 0; count--) {
+		int b, rdlength;
+
+		b = dn_skipname(ptr, eom);
+		if (b < 0)
+			RETERR(EMSGSIZE);
+		ptr += b/*Name*/ + NS_INT16SZ/*Type*/ + NS_INT16SZ/*Class*/;
+		if (section != ns_s_qd) {
+			if (ptr + NS_INT32SZ + NS_INT16SZ > eom)
+				RETERR(EMSGSIZE);
+			ptr += NS_INT32SZ/*TTL*/;
+			rdlength = getUShort(ptr);
+			ptr += 2;
+			ptr += rdlength/*RData*/;
+		}
+	}
+	if (ptr > eom)
+		RETERR(EMSGSIZE);
+	return (ptr - optr);
+}
+
+int
+ns_initparse(const u_char *msg, unsigned msglen, ns_msg *handle) {
+	const u_char *eom = msg + msglen;
+	int i;
+
+	memset(handle, 0x5e, sizeof *handle);
+	handle->_msg = msg;
+	handle->_eom = eom;
+	if (msg + NS_INT16SZ > eom)
+		RETERR(EMSGSIZE);
+	handle->_id = getUShort (msg);
+	msg += 2;
+	if (msg + NS_INT16SZ > eom)
+		RETERR(EMSGSIZE);
+	handle->_flags = getUShort (msg);
+	msg += 2;
+	for (i = 0; i < ns_s_max; i++) {
+		if (msg + NS_INT16SZ > eom)
+			RETERR(EMSGSIZE);
+		handle->_counts[i] = getUShort (msg);
+		msg += 2;
+	}
+	for (i = 0; i < ns_s_max; i++)
+		if (handle->_counts[i] == 0)
+			handle->_sections[i] = NULL;
+		else {
+			int b = ns_skiprr(msg, eom, (ns_sect)i,
+					  handle->_counts[i]);
+
+			if (b < 0)
+				return (-1);
+			handle->_sections[i] = msg;
+			msg += b;
+		}
+	if (msg != eom)
+		RETERR(EMSGSIZE);
+	setsection(handle, ns_s_max);
+	return (0);
+}
+
+isc_result_t
+ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr) {
+	int b;
+
+	/* Make section right. */
+	if (section < 0 || section >= ns_s_max)
+		return ISC_R_NOTIMPLEMENTED;
+	if (section != handle->_sect)
+		setsection(handle, section);
+
+	/* Make rrnum right. */
+	if (rrnum == -1)
+		rrnum = handle->_rrnum;
+	if (rrnum < 0 || rrnum >= handle->_counts[(int)section])
+		RETERR(ENODEV);
+	if (rrnum < handle->_rrnum)
+		setsection(handle, section);
+	if (rrnum > handle->_rrnum) {
+		b = ns_skiprr(handle->_ptr, handle->_eom, section,
+			      rrnum - handle->_rrnum);
+
+		if (b < 0)
+			return (-1);
+		handle->_ptr += b;
+		handle->_rrnum = rrnum;
+	}
+
+	/* Do the parse. */
+	b = dn_expand(handle->_msg, handle->_eom,
+		      handle->_ptr, rr->name, NS_MAXDNAME);
+	if (b < 0)
+		return (-1);
+	handle->_ptr += b;
+	if (handle->_ptr + NS_INT16SZ + NS_INT16SZ > handle->_eom)
+		return ISC_R_NOSPACE;
+	rr->type = getUShort (handle->_ptr);
+	handle -> _ptr += 2;
+	rr->rr_class = getUShort (handle->_ptr);
+	handle -> _ptr += 2;
+	if (section == ns_s_qd) {
+		rr->ttl = 0;
+		rr->rdlength = 0;
+		rr->rdata = NULL;
+	} else {
+		if (handle->_ptr + NS_INT32SZ + NS_INT16SZ > handle->_eom)
+			return ISC_R_NOSPACE;
+		rr->ttl = getULong (handle->_ptr);
+		handle -> _ptr += 4;
+		rr->rdlength = getUShort (handle->_ptr);
+		handle -> _ptr += 2;
+		if (handle->_ptr + rr->rdlength > handle->_eom)
+			return ISC_R_NOSPACE;
+		rr->rdata = handle->_ptr;
+		handle->_ptr += rr->rdlength;
+	}
+	if (++handle->_rrnum > handle->_counts[(int)section])
+		setsection(handle, (ns_sect)((int)section + 1));
+
+	/* All done. */
+	return ISC_R_SUCCESS;
+}
+
+/* Private. */
+
+static void
+setsection(ns_msg *msg, ns_sect sect) {
+	msg->_sect = sect;
+	if (sect == ns_s_max) {
+		msg->_rrnum = -1;
+		msg->_ptr = NULL;
+	} else {
+		msg->_rrnum = 0;
+		msg->_ptr = msg->_sections[(int)sect];
+	}
+}
diff --git a/contrib/isc-dhcp/minires/ns_samedomain.c b/contrib/isc-dhcp/minires/ns_samedomain.c
new file mode 100644
index 0000000..ac17a52
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_samedomain.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (c) 1995,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_samedomain.c,v 1.3 2001/01/16 22:33:09 mellon Exp $";
+#endif
+
+#include <sys/types.h>
+#include <errno.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/*
+ * int
+ * ns_samedomain(a, b)
+ *	Check whether a name belongs to a domain.
+ * Inputs:
+ *	a - the domain whose ancestory is being verified
+ *	b - the potential ancestor we're checking against
+ * Return:
+ *	boolean - is a at or below b?
+ * Notes:
+ *	Trailing dots are first removed from name and domain.
+ *	Always compare complete subdomains, not only whether the
+ *	domain name is the trailing string of the given name.
+ *
+ *	"host.foobar.top" lies in "foobar.top" and in "top" and in ""
+ *	but NOT in "bar.top"
+ */
+
+int
+ns_samedomain(const char *a, const char *b) {
+	size_t la, lb;
+	int diff, i, escaped;
+	const char *cp;
+
+	la = strlen(a);
+	lb = strlen(b);
+
+	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'a'. */
+	if (la != 0 && a[la - 1] == '.') {
+		escaped = 0;
+		/* Note this loop doesn't get executed if la==1. */
+		for (i = la - 2; i >= 0; i--)
+			if (a[i] == '\\') {
+				if (escaped)
+					escaped = 0;
+				else
+					escaped = 1;
+			} else
+				break;
+		if (!escaped)
+			la--;
+	}
+
+	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'b'. */
+	if (lb != 0 && b[lb - 1] == '.') {
+		escaped = 0;
+		/* note this loop doesn't get executed if lb==1 */
+		for (i = lb - 2; i >= 0; i--)
+			if (b[i] == '\\') {
+				if (escaped)
+					escaped = 0;
+				else
+					escaped = 1;
+			} else
+				break;
+		if (!escaped)
+			lb--;
+	}
+
+	/* lb == 0 means 'b' is the root domain, so 'a' must be in 'b'. */
+	if (lb == 0)
+		return (1);
+
+	/* 'b' longer than 'a' means 'a' can't be in 'b'. */
+	if (lb > la)
+		return (0);
+
+	/* 'a' and 'b' being equal at this point indicates sameness. */
+	if (lb == la)
+		return (strncasecmp(a, b, lb) == 0);
+
+	/* Ok, we know la > lb. */
+
+	diff = la - lb;
+
+	/*
+	 * If 'a' is only 1 character longer than 'b', then it can't be
+	 * a subdomain of 'b' (because of the need for the '.' label
+	 * separator).
+	 */
+	if (diff < 2)
+		return (0);
+
+	/*
+	 * If the character before the last 'lb' characters of 'b'
+	 * isn't '.', then it can't be a match (this lets us avoid
+	 * having "foobar.com" match "bar.com").
+	 */
+	if (a[diff - 1] != '.')
+		return (0);
+
+	/*
+	 * We're not sure about that '.', however.  It could be escaped
+         * and thus not a really a label separator.
+	 */
+	escaped = 0;
+	for (i = diff - 2; i >= 0; i--)
+		if (a[i] == '\\') {
+			if (escaped)
+				escaped = 0;
+			else
+				escaped = 1;
+		} else
+			break;
+	if (escaped)
+		return (0);
+	  
+	/* Now compare aligned trailing substring. */
+	cp = a + diff;
+	return (strncasecmp(cp, b, lb) == 0);
+}
+
+/*
+ * int
+ * ns_subdomain(a, b)
+ *	is "a" a subdomain of "b"?
+ */
+int
+ns_subdomain(const char *a, const char *b) {
+	return (ns_samename(a, b) != 1 && ns_samedomain(a, b));
+}
+
+/*
+ * int
+ * ns_makecanon(src, dst, dstsize)
+ *	make a canonical copy of domain name "src"
+ * notes:
+ *	foo -> foo.
+ *	foo. -> foo.
+ *	foo.. -> foo.
+ *	foo\. -> foo\..
+ *	foo\\. -> foo\\.
+ */
+
+isc_result_t
+ns_makecanon(const char *src, char *dst, size_t dstsize) {
+	size_t n = strlen(src);
+
+	if (n + sizeof "." > dstsize) {
+		ISC_R_NOSPACE;
+	}
+	strcpy(dst, src);
+	while (n > 0 && dst[n - 1] == '.')		/* Ends in "." */
+		if (n > 1 && dst[n - 2] == '\\' &&	/* Ends in "\." */
+		    (n < 2 || dst[n - 3] != '\\'))	/* But not "\\." */
+			break;
+		else
+			dst[--n] = '\0';
+	dst[n++] = '.';
+	dst[n] = '\0';
+	return ISC_R_SUCCESS;
+}
+
+/*
+ * int
+ * ns_samename(a, b)
+ *	determine whether domain name "a" is the same as domain name "b"
+ * return:
+ *	-1 on error
+ *	0 if names differ
+ *	1 if names are the same
+ */
+
+int
+ns_samename(const char *a, const char *b) {
+	char ta[NS_MAXDNAME], tb[NS_MAXDNAME];
+	isc_result_t status;
+
+	status = ns_makecanon(a, ta, sizeof ta);
+	if (status != ISC_R_SUCCESS)
+		return status;
+	status = ns_makecanon(b, tb, sizeof tb);
+	if (status != ISC_R_SUCCESS)
+		return (-1);
+	if (strcasecmp(ta, tb) == 0)
+		return (1);
+	else
+		return (0);
+}
diff --git a/contrib/isc-dhcp/minires/ns_sign.c b/contrib/isc-dhcp/minires/ns_sign.c
new file mode 100644
index 0000000..6570c66
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_sign.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (c) 1999-2001 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_sign.c,v 1.4.2.1 2001/05/17 20:47:33 mellon Exp $";
+#endif
+
+#if defined (TRACING)
+#define time(x)		trace_mr_time (x)
+time_t trace_mr_time (time_t *);
+#endif
+
+/* Import. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+#include <isc-dhcp/dst.h>
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if ((ptr) + (count) > eob) { \
+			return ISC_R_NOSPACE; \
+		} \
+	} while (0)
+
+/* ns_sign
+ * Parameters:
+ *	msg		message to be sent
+ *	msglen		input - length of message
+ *			output - length of signed message
+ *	msgsize		length of buffer containing message
+ *	error		value to put in the error field
+ *	key		tsig key used for signing
+ *	querysig	(response), the signature in the query
+ *	querysiglen	(response), the length of the signature in the query
+ *	sig		a buffer to hold the generated signature
+ *	siglen		input - length of signature buffer
+ *			output - length of signature
+ *
+ * Errors:
+ *	- bad input data (-1)
+ *	- bad key / sign failed (-BADKEY)
+ *	- not enough space (NS_TSIG_ERROR_NO_SPACE)
+ */
+isc_result_t
+ns_sign(u_char *msg, unsigned *msglen, unsigned msgsize, int error, void *k,
+	const u_char *querysig, unsigned querysiglen, u_char *sig,
+	unsigned *siglen, time_t in_timesigned)
+{
+	HEADER *hp = (HEADER *)msg;
+	DST_KEY *key = (DST_KEY *)k;
+	u_char *cp = msg + *msglen, *eob = msg + msgsize;
+	u_char *lenp;
+	u_char *name, *alg;
+	unsigned n;
+	time_t timesigned;
+
+	dst_init();
+	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
+		ISC_R_INVALIDARG;
+
+	/* Name. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey)
+		n = dn_comp(key->dk_key_name,
+			    cp, (unsigned)(eob - cp), NULL, NULL);
+	else
+		n = dn_comp("", cp, (unsigned)(eob - cp), NULL, NULL);
+	if (n < 0)
+		return ISC_R_NOSPACE;
+	name = cp;
+	cp += n;
+
+	/* Type, class, ttl, length (not filled in yet). */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(ns_t_tsig, cp);
+	PUTSHORT(ns_c_any, cp);
+	PUTLONG(0, cp);		/* TTL */
+	lenp = cp;
+	cp += 2;
+
+	/* Alg. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		if (key->dk_alg != KEY_HMAC_MD5)
+			return ISC_R_BADKEY;
+		n = dn_comp(NS_TSIG_ALG_HMAC_MD5,
+			    cp, (unsigned)(eob - cp), NULL, NULL);
+	}
+	else
+		n = dn_comp("", cp, (unsigned)(eob - cp), NULL, NULL);
+	if (n < 0)
+		ISC_R_NOSPACE;
+	alg = cp;
+	cp += n;
+	
+	/* Time. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(0, cp);
+	timesigned = time(NULL);
+	if (error != ns_r_badtime)
+		PUTLONG(timesigned, cp);
+	else
+		PUTLONG(in_timesigned, cp);
+	PUTSHORT(NS_TSIG_FUDGE, cp);
+
+	/* Compute the signature. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		void *ctx;
+		u_char buf[MAXDNAME], *cp2;
+		unsigned n;
+
+		dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
+
+		/* Digest the query signature, if this is a response. */
+		if (querysiglen > 0 && querysig != NULL) {
+			u_int16_t len_n = htons(querysiglen);
+			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+				      (u_char *)&len_n, INT16SZ, NULL, 0);
+			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+				      querysig, querysiglen, NULL, 0);
+		}
+
+		/* Digest the message. */
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
+			      NULL, 0);
+
+		/* Digest the key name. */
+		n = ns_name_ntol(name, buf, sizeof(buf));
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the class and TTL. */
+		cp2 = buf;
+		PUTSHORT(ns_c_any, cp2);
+		PUTLONG(0, cp2);
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+			      buf, (unsigned)(cp2-buf), NULL, 0);
+
+		/* Digest the algorithm. */
+		n = ns_name_ntol(alg, buf, sizeof(buf));
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the time signed, fudge, error, and other data */
+		cp2 = buf;
+		PUTSHORT(0, cp2);	/* Top 16 bits of time */
+		if (error != ns_r_badtime)
+			PUTLONG(timesigned, cp2);
+		else
+			PUTLONG(in_timesigned, cp2);
+		PUTSHORT(NS_TSIG_FUDGE, cp2);
+		PUTSHORT(error, cp2);	/* Error */
+		if (error != ns_r_badtime)
+			PUTSHORT(0, cp2);	/* Other data length */
+		else {
+			PUTSHORT(INT16SZ+INT32SZ, cp2);	/* Other data length */
+			PUTSHORT(0, cp2);	/* Top 16 bits of time */
+			PUTLONG(timesigned, cp2);
+		}
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+			      buf, (unsigned)(cp2-buf), NULL, 0);
+
+		n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
+				  sig, *siglen);
+		if (n < 0)
+			ISC_R_BADKEY;
+		*siglen = n;
+	} else
+		*siglen = 0;
+
+	/* Add the signature. */
+	BOUNDS_CHECK(cp, INT16SZ + (*siglen));
+	PUTSHORT(*siglen, cp);
+	memcpy(cp, sig, *siglen);
+	cp += (*siglen);
+
+	/* The original message ID & error. */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
+	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(error, cp);
+
+	/* Other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	if (error != ns_r_badtime)
+		PUTSHORT(0, cp);	/* Other data length */
+	else {
+		PUTSHORT(INT16SZ+INT32SZ, cp);	/* Other data length */
+		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
+		PUTSHORT(0, cp);	/* Top 16 bits of time */
+		PUTLONG(timesigned, cp);
+	}
+
+	/* Go back and fill in the length. */
+	PUTSHORT(cp - lenp - INT16SZ, lenp);
+
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+	*msglen = (cp - msg);
+	return ISC_R_SUCCESS;
+}
+
+#if 0
+isc_result_t
+ns_sign_tcp_init(void *k, const u_char *querysig, unsigned querysiglen,
+		 ns_tcp_tsig_state *state)
+{
+	dst_init();
+	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
+		return ISC_R_INVALIDARG;
+	state->counter = -1;
+	state->key = k;
+	if (state->key->dk_alg != KEY_HMAC_MD5)
+		return ISC_R_BADKEY;
+	if (querysiglen > sizeof(state->sig))
+		return ISC_R_NOSPACE;
+	memcpy(state->sig, querysig, querysiglen);
+	state->siglen = querysiglen;
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+ns_sign_tcp(u_char *msg, unsigned *msglen, unsigned msgsize, int error,
+	    ns_tcp_tsig_state *state, int done)
+{
+	u_char *cp, *eob, *lenp;
+	u_char buf[MAXDNAME], *cp2;
+	HEADER *hp = (HEADER *)msg;
+	time_t timesigned;
+	int n;
+
+	if (msg == NULL || msglen == NULL || state == NULL)
+		return ISC_R_INVALIDARG;
+
+	state->counter++;
+	if (state->counter == 0)
+		return ns_sign(msg, msglen, msgsize, error, state->key,
+			       state->sig, state->siglen,
+			       state->sig, &state->siglen, 0);
+
+	if (state->siglen > 0) {
+		u_int16_t siglen_n = htons(state->siglen);
+		dst_sign_data(SIG_MODE_INIT, state->key, &state->ctx,
+			      NULL, 0, NULL, 0);
+		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			      (u_char *)&siglen_n, INT16SZ, NULL, 0);
+		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			      state->sig, state->siglen, NULL, 0);
+		state->siglen = 0;
+	}
+
+	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx, msg, *msglen,
+		      NULL, 0);
+
+	if (done == 0 && (state->counter % 100 != 0))
+		return ISC_R_SUCCESS;
+
+	cp = msg + *msglen;
+	eob = msg + msgsize;
+
+	/* Name. */
+	n = dn_comp(state->key->dk_key_name,
+		    cp, (unsigned)(eob - cp), NULL, NULL);
+	if (n < 0)
+		return ISC_R_NOSPACE;
+	cp += n;
+
+	/* Type, class, ttl, length (not filled in yet). */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(ns_t_tsig, cp);
+	PUTSHORT(ns_c_any, cp);
+	PUTLONG(0, cp);		/* TTL */
+	lenp = cp;
+	cp += 2;
+
+	/* Alg. */
+	n = dn_comp(NS_TSIG_ALG_HMAC_MD5,
+		    cp, (unsigned)(eob - cp), NULL, NULL);
+	if (n < 0)
+		return ISC_R_NOSPACE;
+	cp += n;
+	
+	/* Time. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(0, cp);
+	timesigned = time(NULL);
+	PUTLONG(timesigned, cp);
+	PUTSHORT(NS_TSIG_FUDGE, cp);
+
+	/*
+	 * Compute the signature.
+	 */
+
+	/* Digest the time signed and fudge. */
+	cp2 = buf;
+	PUTSHORT(0, cp2);	/* Top 16 bits of time */
+	PUTLONG(timesigned, cp2);
+	PUTSHORT(NS_TSIG_FUDGE, cp2);
+
+	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+		      buf, (unsigned)(cp2 - buf), NULL, 0);
+
+	n = dst_sign_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
+			  state->sig, sizeof(state->sig));
+	if (n < 0)
+		return ISC_R_BADKEY;
+	state->siglen = n;
+
+	/* Add the signature. */
+	BOUNDS_CHECK(cp, INT16SZ + state->siglen);
+	PUTSHORT(state->siglen, cp);
+	memcpy(cp, state->sig, state->siglen);
+	cp += state->siglen;
+
+	/* The original message ID & error. */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
+	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(error, cp);
+
+	/* Other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	PUTSHORT(0, cp);
+
+	/* Go back and fill in the length. */
+	PUTSHORT(cp - lenp - INT16SZ, lenp);
+
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+	*msglen = (cp - msg);
+	return ISC_R_SUCCESS;
+}
+#endif
diff --git a/contrib/isc-dhcp/minires/ns_verify.c b/contrib/isc-dhcp/minires/ns_verify.c
new file mode 100644
index 0000000..1408da6
--- /dev/null
+++ b/contrib/isc-dhcp/minires/ns_verify.c
@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 1999-2001 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_verify.c,v 1.5.2.1 2001/05/17 20:47:34 mellon Exp $";
+#endif
+
+#define time(x)		trace_mr_time (x)
+
+/* Import. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+#include <isc-dhcp/dst.h>
+
+time_t trace_mr_time (time_t *);
+
+/* Private. */
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if ((ptr) + (count) > eom) { \
+			return (NS_TSIG_ERROR_FORMERR); \
+		} \
+	} while (0)
+
+/* Public. */
+
+u_char *
+ns_find_tsig(u_char *msg, u_char *eom) {
+	HEADER *hp = (HEADER *)msg;
+	int n, type;
+	u_char *cp = msg, *start;
+
+	if (msg == NULL || eom == NULL || msg > eom)
+		return (NULL);
+
+	if (cp + HFIXEDSZ >= eom)
+		return (NULL);
+
+	if (hp->arcount == 0)
+		return (NULL);
+
+	cp += HFIXEDSZ;
+
+	n = ns_skiprr(cp, eom, ns_s_qd, ntohs(hp->qdcount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_an, ntohs(hp->ancount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_ns, ntohs(hp->nscount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_ar, ntohs(hp->arcount) - 1);
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	start = cp;
+	n = dn_skipname(cp, eom);
+	if (n < 0)
+		return (NULL);
+	cp += n;
+	if (cp + INT16SZ >= eom)
+		return (NULL);
+
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return (NULL);
+	return (start);
+}
+
+/* ns_verify
+ * Parameters:
+ *	statp		res stuff
+ *	msg		received message
+ *	msglen		length of message
+ *	key		tsig key used for verifying.
+ *	querysig	(response), the signature in the query
+ *	querysiglen	(response), the length of the signature in the query
+ *	sig		(query), a buffer to hold the signature
+ *	siglen		(query), input - length of signature buffer
+ *				 output - length of signature
+ *
+ * Errors:
+ *	- bad input (-1)
+ *	- invalid dns message (NS_TSIG_ERROR_FORMERR)
+ *	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
+ *	- key doesn't match (-ns_r_badkey)
+ *	- TSIG verification fails with BADKEY (-ns_r_badkey)
+ *	- TSIG verification fails with BADSIG (-ns_r_badsig)
+ *	- TSIG verification fails with BADTIME (-ns_r_badtime)
+ *	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
+ *	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
+ *	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
+ */
+isc_result_t
+ns_verify(u_char *msg, unsigned *msglen, void *k,
+	  const u_char *querysig, unsigned querysiglen,
+	  u_char *sig, unsigned *siglen, time_t *timesigned, int nostrip)
+{
+	HEADER *hp = (HEADER *)msg;
+	DST_KEY *key = (DST_KEY *)k;
+	u_char *cp = msg, *eom;
+	char name[MAXDNAME], alg[MAXDNAME];
+	u_char *recstart, *rdatastart;
+	u_char *sigstart, *otherstart;
+	unsigned n;
+	int error;
+	u_int16_t type, length;
+	u_int16_t fudge, sigfieldlen, id, otherfieldlen;
+
+	dst_init();
+	if (msg == NULL || msglen == NULL || *msglen < 0)
+		return ISC_R_INVALIDARG;
+
+	eom = msg + *msglen;
+
+	recstart = ns_find_tsig(msg, eom);
+	if (recstart == NULL)
+		return ISC_R_NO_TSIG;
+
+	cp = recstart;
+
+	/* Read the key name. */
+	n = dn_expand(msg, eom, cp, name, MAXDNAME);
+	if (n < 0)
+		return ISC_R_FORMERR;
+	cp += n;
+
+	/* Read the type. */
+	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return ISC_R_NO_TSIG;
+
+	/* Skip the class and TTL, save the length. */
+	cp += INT16SZ + INT32SZ;
+	GETSHORT(length, cp);
+	if (eom - cp != length)
+		return ISC_R_FORMERR;
+
+	/* Read the algorithm name. */
+	rdatastart = cp;
+	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
+	if (n < 0)
+		return ISC_R_FORMERR;
+	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		return ISC_R_INVALIDKEY;
+	cp += n;
+
+	/* Read the time signed and fudge. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	cp += INT16SZ;
+	GETLONG((*timesigned), cp);
+	GETSHORT(fudge, cp);
+
+	/* Read the signature. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(sigfieldlen, cp);
+	BOUNDS_CHECK(cp, sigfieldlen);
+	sigstart = cp;
+	cp += sigfieldlen;
+
+	/* Read the original id and error. */
+	BOUNDS_CHECK(cp, 2*INT16SZ);
+	GETSHORT(id, cp);
+	GETSHORT(error, cp);
+
+	/* Parse the other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(otherfieldlen, cp);
+	BOUNDS_CHECK(cp, otherfieldlen);
+	otherstart = cp;
+	cp += otherfieldlen;
+
+	if (cp != eom)
+		return ISC_R_FORMERR;
+
+	/* Verify that the key used is OK. */
+	if (key != NULL) {
+		if (key->dk_alg != KEY_HMAC_MD5)
+			return ISC_R_INVALIDKEY;
+		if (error != ns_r_badsig && error != ns_r_badkey) {
+			if (ns_samename(key->dk_key_name, name) != 1)
+				return ISC_R_INVALIDKEY;
+		}
+	}
+
+	hp->arcount = htons(ntohs(hp->arcount) - 1);
+
+	/*
+	 * Do the verification.
+	 */
+
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		void *ctx;
+		u_char buf[MAXDNAME];
+
+		/* Digest the query signature, if this is a response. */
+		dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
+		if (querysiglen > 0 && querysig != NULL) {
+			u_int16_t len_n = htons(querysiglen);
+			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+					(u_char *)&len_n, INT16SZ, NULL, 0);
+			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+					querysig, querysiglen, NULL, 0);
+		}
+		
+ 		/* Digest the message. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg,
+				(unsigned)(recstart - msg), NULL, 0);
+
+		/* Digest the key name. */
+		n = ns_name_ntol(recstart, buf, sizeof(buf));
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the class and TTL. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				recstart + dn_skipname(recstart, eom) + INT16SZ,
+				INT16SZ + INT32SZ, NULL, 0);
+
+		/* Digest the algorithm. */
+		n = ns_name_ntol(rdatastart, buf, sizeof(buf));
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the time signed and fudge. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				rdatastart + dn_skipname(rdatastart, eom),
+				INT16SZ + INT32SZ + INT16SZ, NULL, 0);
+
+		/* Digest the error and other data. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				otherstart - INT16SZ - INT16SZ,
+				(unsigned)otherfieldlen + INT16SZ + INT16SZ,
+				NULL, 0);
+
+		n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
+				    sigstart, sigfieldlen);
+
+		if (n < 0)
+			return ISC_R_BADSIG;
+
+		if (sig != NULL && siglen != NULL) {
+			if (*siglen < sigfieldlen)
+				return ISC_R_NOSPACE;
+			memcpy(sig, sigstart, sigfieldlen);
+			*siglen = sigfieldlen;
+		}
+	} else {
+		if (sigfieldlen > 0)
+			return ISC_R_FORMERR;
+		if (sig != NULL && siglen != NULL)
+			*siglen = 0;
+	}
+
+	/* Reset the counter, since we still need to check for badtime. */
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+
+	/* Verify the time. */
+	if (abs((*timesigned) - time(NULL)) > fudge)
+		return ISC_R_BADTIME;
+
+	if (nostrip == 0) {
+		*msglen = recstart - msg;
+		hp->arcount = htons(ntohs(hp->arcount) - 1);
+	}
+
+	if (error != NOERROR)
+		return ns_rcode_to_isc (error);
+
+	return ISC_R_SUCCESS;
+}
+
+#if 0
+isc_result_t
+ns_verify_tcp_init(void *k, const u_char *querysig, unsigned querysiglen,
+		   ns_tcp_tsig_state *state)
+{
+	dst_init();
+	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
+		return ISC_R_INVALIDARG;
+	state->counter = -1;
+	state->key = k;
+	if (state->key->dk_alg != KEY_HMAC_MD5)
+		return ISC_R_BADKEY;
+	if (querysiglen > sizeof(state->sig))
+		return ISC_R_NOSPACE;
+	memcpy(state->sig, querysig, querysiglen);
+	state->siglen = querysiglen;
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+ns_verify_tcp(u_char *msg, unsigned *msglen, ns_tcp_tsig_state *state,
+	      int required)
+{
+	HEADER *hp = (HEADER *)msg;
+	u_char *recstart, *rdatastart, *sigstart;
+	unsigned sigfieldlen, otherfieldlen;
+	u_char *cp, *eom = msg + *msglen, *cp2;
+	char name[MAXDNAME], alg[MAXDNAME];
+	u_char buf[MAXDNAME];
+	int n, type, length, fudge, id, error;
+	time_t timesigned;
+
+	if (msg == NULL || msglen == NULL || state == NULL)
+		return ISC_R_INVALIDARG;
+
+	state->counter++;
+	if (state->counter == 0)
+		return (ns_verify(msg, msglen, state->key,
+				  state->sig, state->siglen,
+				  state->sig, &state->siglen, &timesigned, 0));
+
+	if (state->siglen > 0) {
+		u_int16_t siglen_n = htons(state->siglen);
+
+		dst_verify_data(SIG_MODE_INIT, state->key, &state->ctx,
+				NULL, 0, NULL, 0);
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				(u_char *)&siglen_n, INT16SZ, NULL, 0);
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				state->sig, state->siglen, NULL, 0);
+		state->siglen = 0;
+	}
+
+	cp = recstart = ns_find_tsig(msg, eom);
+
+	if (recstart == NULL) {
+		if (required)
+			return ISC_R_NO_TSIG;
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				msg, *msglen, NULL, 0);
+		return ISC_R_SUCCESS;
+	}
+
+	hp->arcount = htons(ntohs(hp->arcount) - 1);
+	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			msg, (unsigned)(recstart - msg), NULL, 0);
+	
+	/* Read the key name. */
+	n = dn_expand(msg, eom, cp, name, MAXDNAME);
+	if (n < 0)
+		return ISC_R_FORMERR;
+	cp += n;
+
+	/* Read the type. */
+	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return ISC_R_NO_TSIG;
+
+	/* Skip the class and TTL, save the length. */
+	cp += INT16SZ + INT32SZ;
+	GETSHORT(length, cp);
+	if (eom - cp != length)
+		return ISC_R_FORMERR;
+
+	/* Read the algorithm name. */
+	rdatastart = cp;
+	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
+	if (n < 0)
+		return ISC_R_FORMERR;
+	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		return ISC_R_BADKEY;
+	cp += n;
+
+	/* Verify that the key used is OK. */
+	if ((ns_samename(state->key->dk_key_name, name) != 1 ||
+	     state->key->dk_alg != KEY_HMAC_MD5))
+		return ISC_R_BADKEY;
+
+	/* Read the time signed and fudge. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	cp += INT16SZ;
+	GETLONG(timesigned, cp);
+	GETSHORT(fudge, cp);
+
+	/* Read the signature. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(sigfieldlen, cp);
+	BOUNDS_CHECK(cp, sigfieldlen);
+	sigstart = cp;
+	cp += sigfieldlen;
+
+	/* Read the original id and error. */
+	BOUNDS_CHECK(cp, 2*INT16SZ);
+	GETSHORT(id, cp);
+	GETSHORT(error, cp);
+
+	/* Parse the other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(otherfieldlen, cp);
+	BOUNDS_CHECK(cp, otherfieldlen);
+	cp += otherfieldlen;
+
+	if (cp != eom)
+		return ISC_R_FORMERR;
+
+	/*
+	 * Do the verification.
+	 */
+
+	/* Digest the time signed and fudge. */
+	cp2 = buf;
+	PUTSHORT(0, cp2);       /* Top 16 bits of time. */
+	PUTLONG(timesigned, cp2);
+	PUTSHORT(NS_TSIG_FUDGE, cp2);
+
+	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			buf, (unsigned)(cp2 - buf), NULL, 0);
+
+	n = dst_verify_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
+			    sigstart, sigfieldlen);
+	if (n < 0)
+		return ISC_R_BADSIG;
+
+	if (sigfieldlen > sizeof(state->sig))
+		return ISC_R_BADSIG;
+
+	if (sigfieldlen > sizeof(state->sig))
+		return ISC_R_NOSPACE;
+
+	memcpy(state->sig, sigstart, sigfieldlen);
+	state->siglen = sigfieldlen;
+
+	/* Verify the time. */
+	if (abs(timesigned - time(NULL)) > fudge)
+		return ISC_R_BADTIME;
+
+	*msglen = recstart - msg;
+
+	if (error != NOERROR)
+		return ns_rcode_to_isc (error);
+
+	return ISC_R_SUCCESS;
+}
+#endif
diff --git a/contrib/isc-dhcp/minires/res_comp.c b/contrib/isc-dhcp/minires/res_comp.c
new file mode 100644
index 0000000..4ca538e
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_comp.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 1985, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_comp.c,v 1.2 2000/02/02 19:59:16 mellon Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/*
+ * Expand compressed domain name 'comp_dn' to full domain name.
+ * 'msg' is a pointer to the begining of the message,
+ * 'eomorig' points to the first location after the message,
+ * 'exp_dn' is a pointer to a buffer of size 'length' for the result.
+ * Return size of compressed name or -1 if there was an error.
+ */
+int
+dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
+	  char *dst, unsigned dstsiz)
+{
+	int n = ns_name_uncompress(msg, eom, src, dst, (size_t)dstsiz);
+
+	if (n > 0 && dst[0] == '.')
+		dst[0] = '\0';
+	return (n);
+}
+
+/*
+ * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
+ * Return the size of the compressed name or -1.
+ * 'length' is the size of the array pointed to by 'comp_dn'.
+ */
+int
+dn_comp(const char *src, u_char *dst, unsigned dstsiz,
+	u_char **dnptrs, u_char **lastdnptr)
+{
+	return (ns_name_compress(src, dst, (size_t)dstsiz,
+				 (const u_char **)dnptrs,
+				 (const u_char **)lastdnptr));
+}
+
+/*
+ * Skip over a compressed domain name. Return the size or -1.
+ */
+int
+dn_skipname(const u_char *ptr, const u_char *eom) {
+	const u_char *saveptr = ptr;
+
+	if (ns_name_skip(&ptr, eom) == -1)
+		return (-1);
+	return (ptr - saveptr);
+}
+
+/*
+ * Verify that a domain name uses an acceptable character set.
+ */
+
+#if 0
+/*
+ * Note the conspicuous absence of ctype macros in these definitions.  On
+ * non-ASCII hosts, we can't depend on string literals or ctype macros to
+ * tell us anything about network-format data.  The rest of the BIND system
+ * is not careful about this, but for some reason, we're doing it right here.
+ */
+#define PERIOD 0x2e
+#define	hyphenchar(c) ((c) == 0x2d)
+#define bslashchar(c) ((c) == 0x5c)
+#define periodchar(c) ((c) == PERIOD)
+#define asterchar(c) ((c) == 0x2a)
+#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
+		   || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define	domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
+int
+res_hnok(const char *dn) {
+	int ppch = '\0', pch = PERIOD, ch = *dn++;
+
+	while (ch != '\0') {
+		int nch = *dn++;
+
+		if (periodchar(ch)) {
+			(void)NULL;
+		} else if (periodchar(pch)) {
+			if (!borderchar(ch))
+				return (0);
+		} else if (periodchar(nch) || nch == '\0') {
+			if (!borderchar(ch))
+				return (0);
+		} else {
+			if (!middlechar(ch))
+				return (0);
+		}
+		ppch = pch, pch = ch, ch = nch;
+	}
+	return (1);
+}
+
+/*
+ * hostname-like (A, MX, WKS) owners can have "*" as their first label
+ * but must otherwise be as a host name.
+ */
+int
+res_ownok(const char *dn) {
+	if (asterchar(dn[0])) {
+		if (periodchar(dn[1]))
+			return (res_hnok(dn+2));
+		if (dn[1] == '\0')
+			return (1);
+	}
+	return (res_hnok(dn));
+}
+
+/*
+ * SOA RNAMEs and RP RNAMEs can have any printable character in their first
+ * label, but the rest of the name has to look like a host name.
+ */
+int
+res_mailok(const char *dn) {
+	int ch, escaped = 0;
+
+	/* "." is a valid missing representation */
+	if (*dn == '\0')
+		return (1);
+
+	/* otherwise <label>.<hostname> */
+	while ((ch = *dn++) != '\0') {
+		if (!domainchar(ch))
+			return (0);
+		if (!escaped && periodchar(ch))
+			break;
+		if (escaped)
+			escaped = 0;
+		else if (bslashchar(ch))
+			escaped = 1;
+	}
+	if (periodchar(ch))
+		return (res_hnok(dn));
+	return (0);
+}
+
+/*
+ * This function is quite liberal, since RFC 1034's character sets are only
+ * recommendations.
+ */
+int
+res_dnok(const char *dn) {
+	int ch;
+
+	while ((ch = *dn++) != '\0')
+		if (!domainchar(ch))
+			return (0);
+	return (1);
+}
+#endif
diff --git a/contrib/isc-dhcp/minires/res_findzonecut.c b/contrib/isc-dhcp/minires/res_findzonecut.c
new file mode 100644
index 0000000..fc86900
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_findzonecut.c
@@ -0,0 +1,608 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_findzonecut.c,v 1.14.2.1 2001/05/17 20:47:35 mellon Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/* Import. */
+
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc-dhcp/list.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Data structures. */
+
+typedef struct rr_a {
+	ISC_LINK(struct rr_a)	link;
+	struct in_addr		addr;
+} rr_a;
+typedef ISC_LIST(rr_a) rrset_a;
+
+typedef struct rr_ns {
+	ISC_LINK(struct rr_ns) link;
+	char *name;
+	rrset_a addrs;
+} rr_ns;
+typedef ISC_LIST(rr_ns) rrset_ns;
+
+/* Forward. */
+
+static int	satisfy(res_state,
+			const char *, rrset_ns *, struct in_addr *, int);
+static int	add_addrs(res_state, rr_ns *, struct in_addr *, int);
+static ns_rcode	get_soa(res_state, const char *, ns_class,
+			char *, size_t, char *, size_t,
+			rrset_ns *);
+static isc_result_t get_ns(res_state, const char *, ns_class, rrset_ns *);
+static isc_result_t get_glue(res_state, ns_class, rrset_ns *);
+static isc_result_t save_ns(res_state, ns_msg *, ns_sect,
+			    const char *, ns_class, rrset_ns *);
+static isc_result_t save_a(res_state, ns_msg *, ns_sect,
+			   const char *, ns_class, rrset_a *);
+static void	free_nsrrset(rrset_ns *);
+static void	free_nsrr(rrset_ns *, rr_ns *);
+static rr_ns *	find_ns(rrset_ns *, const char *);
+static isc_result_t do_query(res_state, const char *, ns_class, ns_type,
+			     double *, ns_msg *, int *);
+
+/* Public. */
+
+/*
+ * int
+ * res_findzonecut(res, dname, class, zname, zsize, addrs, naddrs)
+ *	find enclosing zone for a <dname,class>, and some server addresses
+ * parameters:
+ *	res - resolver context to work within (is modified)
+ *	dname - domain name whose enclosing zone is desired
+ *	class - class of dname (and its enclosing zone)
+ *	zname - found zone name
+ *	zsize - allocated size of zname
+ *	addrs - found server addresses
+ *	naddrs - max number of addrs
+ * return values:
+ *	< 0 - an error occurred (check errno)
+ *	= 0 - zname is now valid, but addrs[] wasn't changed
+ *	> 0 - zname is now valid, and return value is number of addrs[] found
+ * notes:
+ *	this function calls res_nsend() which means it depends on correctly
+ *	functioning recursive nameservers (usually defined in /etc/resolv.conf
+ *	or its local equivilent).
+ *
+ *	we start by asking for an SOA<dname,class>.  if we get one as an
+ *	answer, that just means <dname,class> is a zone top, which is fine.
+ *	more than likely we'll be told to go pound sand, in the form of a
+ *	negative answer.
+ *
+ *	note that we are not prepared to deal with referrals since that would
+ *	only come from authority servers and our correctly functioning local
+ *	recursive server would have followed the referral and got us something
+ *	more definite.
+ *
+ *	if the authority section contains an SOA, this SOA should also be the
+ *	closest enclosing zone, since any intermediary zone cuts would've been
+ *	returned as referrals and dealt with by our correctly functioning local
+ *	recursive name server.  but an SOA in the authority section should NOT
+ *	match our dname (since that would have been returned in the answer
+ *	section).  an authority section SOA has to be "above" our dname.
+ *
+ *	we cannot fail to find an SOA in this way.  ultimately we'll return
+ *	a zname indicating the root zone if that's the closest enclosing zone.
+ *	however, since authority section SOA's were once optional, it's
+ *	possible that we'll have to go hunting for the enclosing SOA by
+ *	ripping labels off the front of our dname -- this is known as "doing
+ *	it the hard way."
+ *
+ *	ultimately we want some server addresses, which are ideally the ones
+ *	pertaining to the SOA.MNAME, but only if there is a matching NS RR.
+ *	so the second phase (after we find an SOA) is to go looking for the
+ *	NS RRset for that SOA's zone.
+ *
+ *	no answer section processed by this code is allowed to contain CNAME
+ *	or DNAME RR's.  for the SOA query this means we strip a label and
+ *	keep going.  for the NS and A queries this means we just give up.
+ */
+
+isc_result_t
+res_findzonecut(res_state statp, const char *dname, ns_class class, int opts,
+		char *zname, size_t zsize, struct in_addr *addrs, int naddrs,
+		int *count, void *zcookie)
+{
+	char mname[NS_MAXDNAME];
+	u_long save_pfcode;
+	rrset_ns nsrrs;
+	int n = 0;
+	isc_result_t rcode;
+
+	DPRINTF(("START dname='%s' class=%s, zsize=%ld, naddrs=%d",
+		 dname, p_class(class), (long)zsize, naddrs));
+	save_pfcode = statp->pfcode;
+	statp->pfcode |= RES_PRF_HEAD2 | RES_PRF_HEAD1 | RES_PRF_HEADX |
+			 RES_PRF_QUES | RES_PRF_ANS |
+			 RES_PRF_AUTH | RES_PRF_ADD;
+	ISC_LIST_INIT(nsrrs);
+
+	DPRINTF (("look for a predefined zone statement"));
+	rcode = find_cached_zone (dname, class, zname, zsize,
+				  addrs, naddrs, &n, zcookie);
+	if (rcode == ISC_R_SUCCESS)
+		goto done;
+
+	DPRINTF(("get the soa, and see if it has enough glue"));
+	if ((rcode = get_soa(statp, dname, class, zname, zsize,
+			     mname, sizeof mname, &nsrrs)) != ISC_R_SUCCESS ||
+	    ((opts & RES_EXHAUSTIVE) == 0 &&
+	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
+		goto done;
+
+	DPRINTF(("get the ns rrset and see if it has enough glue"));
+	if ((rcode = get_ns(statp, zname, class, &nsrrs)) != ISC_R_SUCCESS ||
+	    ((opts & RES_EXHAUSTIVE) == 0 &&
+	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
+		goto done;
+
+	DPRINTF(("get the missing glue and see if it's finally enough"));
+	if ((rcode = get_glue(statp, class, &nsrrs)) == ISC_R_SUCCESS)
+		n = satisfy(statp, mname, &nsrrs, addrs, naddrs);
+
+	/* If we found the zone, cache it. */
+	if (n > 0)
+		cache_found_zone (class, zname, addrs, n);
+ done:
+	DPRINTF(("FINISH n=%d (%s)", n, (n < 0) ? strerror(errno) : "OK"));
+	free_nsrrset(&nsrrs);
+	statp->pfcode = save_pfcode;
+	if (count)
+		*count = n;
+	return rcode;
+}
+
+/* Private. */
+
+static int
+satisfy(res_state statp,
+	const char *mname, rrset_ns *nsrrsp, struct in_addr *addrs, int naddrs)
+{
+	rr_ns *nsrr;
+	int n, x;
+
+	n = 0;
+	nsrr = find_ns(nsrrsp, mname);
+	if (nsrr != NULL) {
+		x = add_addrs(statp, nsrr, addrs, naddrs);
+		addrs += x;
+		naddrs -= x;
+		n += x;
+	}
+	for (nsrr = ISC_LIST_HEAD(*nsrrsp);
+	     nsrr != NULL && naddrs > 0;
+	     nsrr = ISC_LIST_NEXT(nsrr, link))
+		if (ns_samename(nsrr->name, mname) != 1) {
+			x = add_addrs(statp, nsrr, addrs, naddrs);
+			addrs += x;
+			naddrs -= x;
+			n += x;
+		}
+	DPRINTF(("satisfy(%s): %d", mname, n));
+	return (n);
+}
+
+static int
+add_addrs(res_state statp, rr_ns *nsrr, struct in_addr *addrs, int naddrs) {
+	rr_a *arr;
+	int n = 0;
+
+	for (arr = ISC_LIST_HEAD(nsrr->addrs);
+	     arr != NULL; arr = ISC_LIST_NEXT(arr, link)) {
+		if (naddrs <= 0)
+			return (0);
+		*addrs++ = arr->addr;
+		naddrs--;
+		n++;
+	}
+	DPRINTF(("add_addrs: %d", n));
+	return (n);
+}
+
+static ns_rcode
+get_soa(res_state statp, const char *dname, ns_class class,
+	char *zname, size_t zsize, char *mname, size_t msize,
+	rrset_ns *nsrrsp)
+{
+	char tname[NS_MAXDNAME];
+	double resp[NS_PACKETSZ / sizeof (double)];
+	int n, i, ancount, nscount;
+	ns_sect sect;
+	ns_msg msg;
+	u_int rcode;
+	isc_result_t status;
+
+	/*
+	 * Find closest enclosing SOA, even if it's for the root zone.
+	 */
+
+	/* First canonicalize dname (exactly one unescaped trailing "."). */
+	status = ns_makecanon(dname, tname, sizeof tname);
+	if (status != ISC_R_SUCCESS)
+		return status;
+	dname = tname;
+
+	/* Now grovel the subdomains, hunting for an SOA answer or auth. */
+	for (;;) {
+		/* Leading or inter-label '.' are skipped here. */
+		while (*dname == '.')
+			dname++;
+
+		/* Is there an SOA? */
+		rcode = do_query(statp, dname, class, ns_t_soa,
+				 resp, &msg, &n);
+		if (rcode != ISC_R_SUCCESS) {
+			DPRINTF(("get_soa: do_query('%s', %s) failed (%d)",
+				 dname, p_class(class), n));
+			return rcode;
+		}
+		if (n > 0) {
+			DPRINTF(("get_soa: CNAME or DNAME found"));
+			sect = ns_s_max, n = 0;
+		} else {
+			ancount = ns_msg_count(msg, ns_s_an);
+			nscount = ns_msg_count(msg, ns_s_ns);
+			if (ancount > 0 && rcode == ISC_R_SUCCESS)
+				sect = ns_s_an, n = ancount;
+			else if (nscount > 0)
+				sect = ns_s_ns, n = nscount;
+			else
+				sect = ns_s_max, n = 0;
+		}
+		for (i = 0; i < n; i++) {
+			const char *t;
+			const u_char *rdata;
+			int rdlen;
+			ns_rr rr;
+
+			rcode = ns_parserr(&msg, sect, i, &rr) < 0;
+			if (rcode != ISC_R_SUCCESS) {
+				DPRINTF(("get_soa: ns_parserr(%s, %d) failed",
+					 p_section(sect, ns_o_query), i));
+				return rcode;
+			}
+			if (ns_rr_type(rr) == ns_t_cname ||
+			    ns_rr_type(rr) == ns_t_dname)
+				break;
+			if (ns_rr_type(rr) != ns_t_soa ||
+			    ns_rr_class(rr) != class)
+				continue;
+			t = ns_rr_name(rr);
+			switch (sect) {
+			case ns_s_an:
+				if (ns_samedomain(dname, t) == 0) {
+					DPRINTF(("get_soa: %s'%s', '%s') == 0",
+						 "ns_samedomain(", dname, t));
+					return ISC_R_NOTZONE;
+				}
+				break;
+			case ns_s_ns:
+				if (ns_samename(dname, t) == 1 ||
+				    ns_samedomain(dname, t) == 0) {
+					DPRINTF(("get_soa: %smain('%s', '%s')",
+						 "ns_samename() || !ns_samedo",
+						 dname, t));
+					return ISC_R_NOTZONE;
+				}
+				break;
+			default:
+				abort();
+			}
+			if (strlen(t) + 1 > zsize) {
+				DPRINTF(("get_soa: zname(%d) too small (%d)",
+					 zsize, strlen(t) + 1));
+				return ISC_R_NOSPACE;
+			}
+			strcpy(zname, t);
+			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
+			if (ns_name_uncompress((u_char *)resp,
+					       ns_msg_end(msg), rdata,
+					       mname, msize) < 0) {
+				DPRINTF(("get_soa: %s failed",
+					 "ns_name_uncompress"));
+				return ISC_R_NOMEMORY;
+			}
+			rcode = save_ns(statp, &msg,
+					ns_s_ns, zname, class, nsrrsp);
+			if (rcode != ISC_R_SUCCESS) {
+				DPRINTF(("get_soa: save_ns failed"));
+				return rcode;
+			}
+			return ISC_R_SUCCESS;
+		}
+
+		/* If we're out of labels, then not even "." has an SOA! */
+		if (*dname == '\0')
+			break;
+
+		/* Find label-terminating "."; top of loop will skip it. */
+		while (*dname != '.') {
+			if (*dname == '\\')
+				if (*++dname == '\0') {
+					ISC_R_NOSPACE;
+				}
+			dname++;
+		}
+	}
+	DPRINTF(("get_soa: out of labels"));
+	return ISC_R_DESTADDRREQ;
+}
+
+static isc_result_t
+get_ns(res_state statp, const char *zname, ns_class class, rrset_ns *nsrrsp) {
+	double resp[NS_PACKETSZ / sizeof (double)];
+	ns_msg msg;
+	int n;
+	isc_result_t rcode;
+
+	/* Go and get the NS RRs for this zone. */
+	rcode = do_query(statp, zname, class, ns_t_ns, resp, &msg, &n);
+	if (rcode != ISC_R_SUCCESS) {
+		DPRINTF(("get_ns: do_query('zname', %s) failed (%d)",
+			 zname, p_class(class), rcode));
+		return rcode;
+	}
+
+	/* Remember the NS RRs and associated A RRs that came back. */
+	rcode = save_ns(statp, &msg, ns_s_an, zname, class, nsrrsp);
+	if (rcode != ISC_R_SUCCESS) {
+		DPRINTF(("get_ns save_ns('%s', %s) failed",
+			 zname, p_class(class)));
+		return rcode;
+	}
+
+	return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+get_glue(res_state statp, ns_class class, rrset_ns *nsrrsp) {
+	rr_ns *nsrr, *nsrr_n;
+
+	/* Go and get the A RRs for each empty NS RR on our list. */
+	for (nsrr = ISC_LIST_HEAD(*nsrrsp); nsrr != NULL; nsrr = nsrr_n) {
+		double resp[NS_PACKETSZ / sizeof (double)];
+		ns_msg msg;
+		int n;
+		isc_result_t rcode;
+
+		nsrr_n = ISC_LIST_NEXT(nsrr, link);
+
+		if (ISC_LIST_EMPTY(nsrr->addrs)) {
+			rcode = do_query(statp, nsrr->name, class, ns_t_a,
+					 resp, &msg, &n);
+			if (rcode != ISC_R_SUCCESS) {
+			    DPRINTF(("get_glue: do_query('%s', %s') failed",
+				     nsrr->name, p_class(class)));
+			    return rcode;
+			}
+			if (n > 0) {
+				DPRINTF((
+			"get_glue: do_query('%s', %s') CNAME or DNAME found",
+					 nsrr->name, p_class(class)));
+			}
+			rcode = save_a(statp, &msg, ns_s_an, nsrr->name, class,
+				       &nsrr->addrs);
+			if (rcode != ISC_R_SUCCESS) {
+				DPRINTF(("get_glue: save_r('%s', %s) failed",
+					 nsrr->name, p_class(class)));
+				return rcode;
+			}
+			/* If it's still empty, it's just chaff. */
+			if (ISC_LIST_EMPTY(nsrr->addrs)) {
+				DPRINTF(("get_glue: removing empty '%s' NS",
+					 nsrr->name));
+				free_nsrr(nsrrsp, nsrr);
+			}
+		}
+	}
+	return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+save_ns(res_state statp, ns_msg *msg, ns_sect sect,
+	const char *owner, ns_class class,
+	rrset_ns *nsrrsp)
+{
+	int i;
+	isc_result_t rcode;
+
+	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
+		char tname[MAXDNAME];
+		const u_char *rdata;
+		rr_ns *nsrr;
+		ns_rr rr;
+		int rdlen;
+
+		rcode = ns_parserr(msg, sect, i, &rr);
+		if (rcode != ISC_R_SUCCESS) {
+			DPRINTF(("save_ns: ns_parserr(%s, %d) failed",
+				 p_section(sect, ns_o_query), i));
+			return rcode;
+		}
+		if (ns_rr_type(rr) != ns_t_ns ||
+		    ns_rr_class(rr) != class ||
+		    ns_samename(ns_rr_name(rr), owner) != 1)
+			continue;
+		nsrr = find_ns(nsrrsp, ns_rr_name(rr));
+		if (nsrr == NULL) {
+			nsrr = malloc(sizeof *nsrr);
+			if (nsrr == NULL) {
+				DPRINTF(("save_ns: malloc failed"));
+				return ISC_R_NOMEMORY;
+			}
+			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
+			if (ns_name_uncompress(ns_msg_base(*msg),
+					       ns_msg_end(*msg), rdata,
+					       tname, sizeof tname) < 0) {
+				DPRINTF(("save_ns: ns_name_uncompress failed"));
+				free(nsrr);
+				return ISC_R_NOMEMORY;
+			}
+			nsrr->name = strdup(tname);
+			if (nsrr->name == NULL) {
+				DPRINTF(("save_ns: strdup failed"));
+				free(nsrr);
+				return ISC_R_NOMEMORY;
+			}
+			ISC_LIST_INIT(nsrr->addrs);
+			ISC_LIST_APPEND(*nsrrsp, nsrr, link);
+		}
+		rcode = save_a(statp, msg, ns_s_ar,
+			       nsrr->name, class, &nsrr->addrs);
+		if (rcode != ISC_R_SUCCESS) {
+			DPRINTF(("save_ns: save_r('%s', %s) failed",
+				 nsrr->name, p_class(class)));
+			return rcode;
+		}
+	}
+	return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+save_a(res_state statp, ns_msg *msg, ns_sect sect,
+       const char *owner, ns_class class,
+       rrset_a *arrsp)
+{
+	int i;
+	isc_result_t rcode;
+
+	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
+		ns_rr rr;
+		rr_a *arr;
+
+		rcode = ns_parserr(msg, sect, i, &rr);
+		if (rcode != ISC_R_SUCCESS) {
+			DPRINTF(("save_a: ns_parserr(%s, %d) failed",
+				 p_section(sect, ns_o_query), i));
+			return rcode;
+		}
+		if (ns_rr_type(rr) != ns_t_a ||
+		    ns_rr_class(rr) != class ||
+		    ns_samename(ns_rr_name(rr), owner) != 1 ||
+		    ns_rr_rdlen(rr) != NS_INADDRSZ)
+			continue;
+		arr = malloc(sizeof *arr);
+		if (arr == NULL) {
+			DPRINTF(("save_a: malloc failed"));
+			return ISC_R_NOMEMORY;
+		}
+		memcpy(&arr->addr, ns_rr_rdata(rr), NS_INADDRSZ);
+		ISC_LIST_APPEND(*arrsp, arr, link);
+	}
+	return ISC_R_SUCCESS;
+}
+
+static void
+free_nsrrset(rrset_ns *nsrrsp) {
+	rr_ns *nsrr;
+
+	while ((nsrr = ISC_LIST_HEAD(*nsrrsp)) != NULL)
+		free_nsrr(nsrrsp, nsrr);
+}
+
+static void
+free_nsrr(rrset_ns *nsrrsp, rr_ns *nsrr) {
+	rr_a *arr;
+
+	while ((arr = ISC_LIST_HEAD(nsrr->addrs)) != NULL) {
+		ISC_LIST_UNLINK(nsrr->addrs, arr, link);
+		free(arr);
+	}
+	free((char *)nsrr->name);
+	ISC_LIST_UNLINK(*nsrrsp, nsrr, link);
+	free(nsrr);
+}
+
+static rr_ns *
+find_ns(rrset_ns *nsrrsp, const char *dname) {
+	rr_ns *nsrr;
+
+	for (nsrr = ISC_LIST_HEAD(*nsrrsp);
+	     nsrr != NULL; nsrr = ISC_LIST_NEXT(nsrr, link))
+		if (ns_samename(nsrr->name, dname) == 1)
+			return (nsrr);
+	return (NULL);
+}
+
+static isc_result_t
+do_query(res_state statp, const char *dname, ns_class class, ns_type qtype,
+	 double *resp, ns_msg *msg, int *alias_count)
+{
+	double req[NS_PACKETSZ / sizeof (double)];
+	int i;
+	unsigned n;
+	isc_result_t status;
+
+	status = res_nmkquery(statp, ns_o_query, dname, class, qtype,
+			      NULL, 0, NULL, req, NS_PACKETSZ, &n);
+	if (status != ISC_R_SUCCESS) {
+		DPRINTF(("do_query: res_nmkquery failed"));
+		return status;
+	}
+	status = res_nsend(statp, req, n, resp, NS_PACKETSZ, &n);
+	if (status != ISC_R_SUCCESS) {
+		DPRINTF(("do_query: res_nsend failed"));
+		return status;
+	}
+	if (n == 0) {
+		DPRINTF(("do_query: res_nsend returned 0"));
+		return ISC_R_NOTFOUND;
+	}
+	if (ns_initparse((u_char *)resp, n, msg) < 0) {
+		DPRINTF(("do_query: ns_initparse failed"));
+		return ISC_R_NOSPACE;
+	}
+	n = 0;
+	for (i = 0; i < ns_msg_count(*msg, ns_s_an); i++) {
+		ns_rr rr;
+
+		status = ns_parserr(msg, ns_s_an, i, &rr);
+		if (status != ISC_R_SUCCESS) {
+			DPRINTF(("do_query: ns_parserr failed"));
+			return status;
+		}
+		n += (ns_rr_class(rr) == class &&
+		      (ns_rr_type(rr) == ns_t_cname ||
+		       ns_rr_type(rr) == ns_t_dname));
+	}
+	if (alias_count)
+		*alias_count = n;
+	return ISC_R_SUCCESS;
+}
diff --git a/contrib/isc-dhcp/minires/res_init.c b/contrib/isc-dhcp/minires/res_init.c
new file mode 100644
index 0000000..b646b8e
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_init.c
@@ -0,0 +1,486 @@
+/*
+ * Copyright (c) 1985, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
+static const char rcsid[] = "$Id: res_init.c,v 1.4.2.1 2001/06/22 02:57:54 mellon Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Options.  Should all be left alone. */
+#define RESOLVSORT
+#define RFC1535
+#define DEBUG
+
+static void res_setoptions (res_state, const char *, const char *);
+
+#ifdef RESOLVSORT
+static const char sort_mask[] = "/&";
+#define ISSORTMASK(ch) (strchr(sort_mask, ch) != NULL)
+static u_int32_t net_mask (struct in_addr);
+#endif
+
+#if !defined(isascii)	/* XXX - could be a function */
+# define isascii(c) (!(c & 0200))
+#endif
+
+/*
+ * Resolver state default settings.
+ */
+
+/*
+ * Set up default settings.  If the configuration file exist, the values
+ * there will have precedence.  Otherwise, the server address is set to
+ * INADDR_ANY and the default domain name comes from the gethostname().
+ *
+ * An interrim version of this code (BIND 4.9, pre-4.4BSD) used 127.0.0.1
+ * rather than INADDR_ANY ("0.0.0.0") as the default name server address
+ * since it was noted that INADDR_ANY actually meant ``the first interface
+ * you "ifconfig"'d at boot time'' and if this was a SLIP or PPP interface,
+ * it had to be "up" in order for you to reach your own name server.  It
+ * was later decided that since the recommended practice is to always 
+ * install local static routes through 127.0.0.1 for all your network
+ * interfaces, that we could solve this problem without a code change.
+ *
+ * The configuration file should always be used, since it is the only way
+ * to specify a default domain.  If you are running a server on your local
+ * machine, you should say "nameserver 0.0.0.0" or "nameserver 127.0.0.1"
+ * in the configuration file.
+ *
+ * Return 0 if completes successfully, -1 on error
+ */
+extern int minires_vinit(res_state, int);
+
+#if defined (TRACING)
+u_int trace_mr_res_randomid(u_int);
+#endif
+
+int
+res_ninit(res_state statp) {
+
+	return (minires_vinit(statp, 0));
+}
+
+/* This function has to be reachable by res_data.c but not publically. */
+int
+minires_vinit(res_state statp, int preinit) {
+	register FILE *fp;
+	register char *cp, **pp;
+	register int n;
+	char buf[BUFSIZ];
+	int nserv = 0;    /* number of nameserver records read from file */
+	int haveenv = 0;
+	int havesearch = 0;
+#ifdef RESOLVSORT
+	int nsort = 0;
+	char *net;
+#endif
+#ifndef RFC1535
+	int dots;
+#endif
+
+	if (!preinit) {
+		statp->retrans = RES_TIMEOUT;
+		statp->retry = RES_DFLRETRY;
+		statp->options = RES_DEFAULT;
+		statp->id = res_randomid();
+#if defined (TRACING)
+		statp->id = trace_mr_res_randomid (statp -> id);
+#endif
+	}
+
+#ifdef USELOOPBACK
+	statp->nsaddr.sin_addr = inet_makeaddr(IN_LOOPBACKNET, 1);
+#else
+	statp->nsaddr.sin_addr.s_addr = INADDR_ANY;
+#endif
+	statp->nsaddr.sin_family = AF_INET;
+	statp->nsaddr.sin_port = htons(NAMESERVER_PORT);
+	statp->nscount = 1;
+	statp->ndots = 1;
+	statp->pfcode = 0;
+	statp->_sock = -1;
+	statp->_flags = 0;
+	statp->qhook = NULL;
+	statp->rhook = NULL;
+
+	/* Allow user to override the local domain definition */
+	if ((cp = getenv("LOCALDOMAIN")) != NULL) {
+		(void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		haveenv++;
+
+		/*
+		 * Set search list to be blank-separated strings
+		 * from rest of env value.  Permits users of LOCALDOMAIN
+		 * to still have a search list, and anyone to set the
+		 * one that they want to use as an individual (even more
+		 * important now that the rfc1535 stuff restricts searches)
+		 */
+		cp = statp->defdname;
+		pp = statp->dnsrch;
+		*pp++ = cp;
+		for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
+			if (*cp == '\n')	/* silly backwards compat */
+				break;
+			else if (*cp == ' ' || *cp == '\t') {
+				*cp = 0;
+				n = 1;
+			} else if (n) {
+				*pp++ = cp;
+				n = 0;
+				havesearch = 1;
+			}
+		}
+		/* null terminate last domain if there are excess */
+		while (*cp != '\0' && *cp != ' ' && *cp != '\t' && *cp != '\n')
+			cp++;
+		*cp = '\0';
+		*pp++ = 0;
+	}
+
+#define	MATCH(line, name) \
+	(!strncmp(line, name, sizeof(name) - 1) && \
+	(line[sizeof(name) - 1] == ' ' || \
+	 line[sizeof(name) - 1] == '\t'))
+
+	if ((fp = fopen(_PATH_RESCONF, "r")) != NULL) {
+	    /* read the config file */
+	    while (fgets(buf, sizeof(buf), fp) != NULL) {
+		/* skip comments */
+		if (*buf == ';' || *buf == '#')
+			continue;
+		/* read default domain name */
+		if (MATCH(buf, "domain")) {
+		    if (haveenv)	/* skip if have from environ */
+			    continue;
+		    cp = buf + sizeof("domain") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			    cp++;
+		    if ((*cp == '\0') || (*cp == '\n'))
+			    continue;
+		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		    if ((cp = strpbrk(statp->defdname, " \t\n")) != NULL)
+			    *cp = '\0';
+		    havesearch = 0;
+		    continue;
+		}
+		/* set search list */
+		if (MATCH(buf, "search")) {
+		    if (haveenv)	/* skip if have from environ */
+			    continue;
+		    cp = buf + sizeof("search") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			    cp++;
+		    if ((*cp == '\0') || (*cp == '\n'))
+			    continue;
+		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		    if ((cp = strchr(statp->defdname, '\n')) != NULL)
+			    *cp = '\0';
+		    /*
+		     * Set search list to be blank-separated strings
+		     * on rest of line.
+		     */
+		    cp = statp->defdname;
+		    pp = statp->dnsrch;
+		    *pp++ = cp;
+		    for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
+			    if (*cp == ' ' || *cp == '\t') {
+				    *cp = 0;
+				    n = 1;
+			    } else if (n) {
+				    *pp++ = cp;
+				    n = 0;
+			    }
+		    }
+		    /* null terminate last domain if there are excess */
+		    while (*cp != '\0' && *cp != ' ' && *cp != '\t')
+			    cp++;
+		    *cp = '\0';
+		    *pp++ = 0;
+		    havesearch = 1;
+		    continue;
+		}
+		/* read nameservers to query */
+		if (MATCH(buf, "nameserver") && nserv < MAXNS) {
+		    struct in_addr a;
+
+		    cp = buf + sizeof("nameserver") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			cp++;
+		    if ((*cp != '\0') && (*cp != '\n') && inet_aton(cp, &a)) {
+			statp->nsaddr_list[nserv].sin_addr = a;
+			statp->nsaddr_list[nserv].sin_family = AF_INET;
+			statp->nsaddr_list[nserv].sin_port =
+				htons(NAMESERVER_PORT);
+			nserv++;
+		    }
+		    continue;
+		}
+#ifdef RESOLVSORT
+		if (MATCH(buf, "sortlist")) {
+		    struct in_addr a;
+
+		    cp = buf + sizeof("sortlist") - 1;
+		    while (nsort < MAXRESOLVSORT) {
+			while (*cp == ' ' || *cp == '\t')
+			    cp++;
+			if (*cp == '\0' || *cp == '\n' || *cp == ';')
+			    break;
+			net = cp;
+			while (*cp && !ISSORTMASK(*cp) && *cp != ';' &&
+			       isascii(*cp) && !isspace(*cp))
+				cp++;
+			n = *cp;
+			*cp = 0;
+			if (inet_aton(net, &a)) {
+			    statp->sort_list[nsort].addr = a;
+			    if (ISSORTMASK(n)) {
+				*cp++ = n;
+				net = cp;
+				while (*cp && *cp != ';' &&
+					isascii(*cp) && !isspace(*cp))
+				    cp++;
+				n = *cp;
+				*cp = 0;
+				if (inet_aton(net, &a)) {
+				    statp->sort_list[nsort].mask = a.s_addr;
+				} else {
+				    statp->sort_list[nsort].mask = 
+					net_mask(statp->sort_list[nsort].addr);
+				}
+			    } else {
+				statp->sort_list[nsort].mask = 
+				    net_mask(statp->sort_list[nsort].addr);
+			    }
+			    nsort++;
+			}
+			*cp = n;
+		    }
+		    continue;
+		}
+#endif
+		if (MATCH(buf, "options")) {
+		    res_setoptions(statp, buf + sizeof("options") - 1, "conf");
+		    continue;
+		}
+	    }
+	    if (nserv > 1) 
+		statp->nscount = nserv;
+#ifdef RESOLVSORT
+	    statp->nsort = nsort;
+#endif
+	    (void) fclose(fp);
+	}
+	if (statp->defdname[0] == 0 &&
+	    gethostname(buf, sizeof(statp->defdname) - 1) == 0 &&
+	    (cp = strchr(buf, '.')) != NULL)
+		strcpy(statp->defdname, cp + 1);
+
+	/* find components of local domain that might be searched */
+	if (havesearch == 0) {
+		pp = statp->dnsrch;
+		*pp++ = statp->defdname;
+		*pp = NULL;
+
+#ifndef RFC1535
+		dots = 0;
+		for (cp = statp->defdname; *cp; cp++)
+			dots += (*cp == '.');
+
+		cp = statp->defdname;
+		while (pp < statp->dnsrch + MAXDFLSRCH) {
+			if (dots < LOCALDOMAINPARTS)
+				break;
+			cp = strchr(cp, '.') + 1;    /* we know there is one */
+			*pp++ = cp;
+			dots--;
+		}
+		*pp = NULL;
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG) {
+			printf(";; res_init()... default dnsrch list:\n");
+			for (pp = statp->dnsrch; *pp; pp++)
+				printf(";;\t%s\n", *pp);
+			printf(";;\t..END..\n");
+		}
+#endif
+#endif /* !RFC1535 */
+	}
+
+	if ((cp = getenv("RES_OPTIONS")) != NULL)
+		res_setoptions(statp, cp, "env");
+	statp->options |= RES_INIT;
+	return (0);
+}
+
+static void
+res_setoptions(res_state statp, const char *options, const char *source) {
+	const char *cp = options;
+	int i;
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_setoptions(\"%s\", \"%s\")...\n",
+		       options, source);
+#endif
+	while (*cp) {
+		/* skip leading and inner runs of spaces */
+		while (*cp == ' ' || *cp == '\t')
+			cp++;
+		/* search for and process individual options */
+		if (!strncmp(cp, "ndots:", sizeof("ndots:") - 1)) {
+			i = atoi(cp + sizeof("ndots:") - 1);
+			if (i <= RES_MAXNDOTS)
+				statp->ndots = i;
+			else
+				statp->ndots = RES_MAXNDOTS;
+#ifdef DEBUG
+			if (statp->options & RES_DEBUG)
+				printf(";;\tndots=%d\n", statp->ndots);
+#endif
+		} else if (!strncmp(cp, "timeout:", sizeof("timeout:") - 1)) {
+			i = atoi(cp + sizeof("timeout:") - 1);
+			if (i <= RES_MAXRETRANS)
+				statp->retrans = i;
+			else
+				statp->retrans = RES_MAXRETRANS;
+		} else if (!strncmp(cp, "attempts:", sizeof("attempts:") - 1)){
+			i = atoi(cp + sizeof("attempts:") - 1);
+			if (i <= RES_MAXRETRY)
+				statp->retry = i;
+			else
+				statp->retry = RES_MAXRETRY;
+		} else if (!strncmp(cp, "debug", sizeof("debug") - 1)) {
+#ifdef DEBUG
+			if (!(statp->options & RES_DEBUG)) {
+				printf(";; res_setoptions(\"%s\", \"%s\")..\n",
+				       options, source);
+				statp->options |= RES_DEBUG;
+			}
+			printf(";;\tdebug\n");
+#endif
+		} else if (!strncmp(cp, "inet6", sizeof("inet6") - 1)) {
+			statp->options |= RES_USE_INET6;
+		} else if (!strncmp(cp, "rotate", sizeof("rotate") - 1)) {
+			statp->options |= RES_ROTATE;
+		} else if (!strncmp(cp, "no-check-names",
+				    sizeof("no-check-names") - 1)) {
+			statp->options |= RES_NOCHECKNAME;
+		} else {
+			/* XXX - print a warning here? */
+		}
+		/* skip to next run of spaces */
+		while (*cp && *cp != ' ' && *cp != '\t')
+			cp++;
+	}
+}
+
+#ifdef RESOLVSORT
+/* XXX - should really support CIDR which means explicit masks always. */
+static u_int32_t
+net_mask(in)		/* XXX - should really use system's version of this */
+	struct in_addr in;
+{
+	register u_int32_t i = ntohl(in.s_addr);
+
+	if (IN_CLASSA(i))
+		return (htonl(IN_CLASSA_NET));
+	else if (IN_CLASSB(i))
+		return (htonl(IN_CLASSB_NET));
+	return (htonl(IN_CLASSC_NET));
+}
+#endif
+
+u_int
+res_randomid(void) {
+	struct timeval now;
+
+	gettimeofday(&now, NULL);
+	return (0xffff & (now.tv_sec ^ now.tv_usec ^ getpid()));
+}
diff --git a/contrib/isc-dhcp/minires/res_mkquery.c b/contrib/isc-dhcp/minires/res_mkquery.c
new file mode 100644
index 0000000..88fe7e6
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_mkquery.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 1985, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_mkquery.c,v 1.4 2001/01/16 22:33:14 mellon Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+extern const char *_res_opcodes[];
+
+/*
+ * Form all types of queries.
+ * Returns the size of the result or -1.
+ */
+isc_result_t
+res_nmkquery(res_state statp,
+	     int op,			/* opcode of query */
+	     const char *dname,		/* domain name */
+	     ns_class class, ns_type type,	/* class and type of query */
+	     const u_char *data,	/* resource record data */
+	     unsigned datalen,		/* length of data */
+	     const u_char *newrr_in,	/* new rr for modify or append */
+	     double *buf,		/* buffer to put query */
+	     unsigned buflen,		/* size of buffer */
+	     unsigned *rbuflen)		/* returned size of buffer */
+{
+	register HEADER *hp;
+	register u_char *cp;
+	register int n;
+	u_char *dnptrs[20], **dpp, **lastdnptr;
+
+	/*
+	 * Initialize header fields.
+	 */
+	if ((buf == NULL) || (buflen < HFIXEDSZ))
+		return ISC_R_INVALIDARG;
+	memset(buf, 0, HFIXEDSZ);
+	hp = (HEADER *) buf;
+	hp->id = htons(++statp->id);
+	hp->opcode = op;
+	hp->rd = (statp->options & RES_RECURSE) != 0;
+	hp->rcode = NOERROR;
+	cp = ((u_char *)buf) + HFIXEDSZ;
+	buflen -= HFIXEDSZ;
+	dpp = dnptrs;
+	*dpp++ = (u_char *)buf;
+	*dpp++ = NULL;
+	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
+	/*
+	 * perform opcode specific processing
+	 */
+	switch (op) {
+	case QUERY:	/*FALLTHROUGH*/
+	case NS_NOTIFY_OP:
+		if ((buflen -= QFIXEDSZ) < 0)
+			return ISC_R_NOSPACE;
+		if ((n = dn_comp(dname, cp, buflen, dnptrs, lastdnptr)) < 0)
+			return ISC_R_NOSPACE;
+		cp += n;
+		buflen -= n;
+		putUShort(cp, type);
+		cp += INT16SZ;
+		putUShort(cp, class);
+		cp += INT16SZ;
+		hp->qdcount = htons(1);
+		if (op == QUERY || data == NULL)
+			break;
+		/*
+		 * Make an additional record for completion domain.
+		 */
+		buflen -= RRFIXEDSZ;
+		n = dn_comp((const char *)data, cp, buflen, dnptrs, lastdnptr);
+		if (n < 0)
+			return ISC_R_NOSPACE;
+		cp += n;
+		buflen -= n;
+		putUShort(cp, T_NULL);
+		cp += INT16SZ;
+		putUShort(cp, class);
+		cp += INT16SZ;
+		putULong(cp, 0);
+		cp += INT32SZ;
+		putUShort(cp, 0);
+		cp += INT16SZ;
+		hp->arcount = htons(1);
+		break;
+
+	case IQUERY:
+		/*
+		 * Initialize answer section
+		 */
+		if (buflen < 1 + RRFIXEDSZ + datalen)
+			return ISC_R_NOSPACE;
+		*cp++ = '\0';	/* no domain name */
+		putUShort(cp, type);
+		cp += INT16SZ;
+		putUShort(cp, class);
+		cp += INT16SZ;
+		putULong(cp, 0);
+		cp += INT32SZ;
+		putUShort(cp, datalen);
+		cp += INT16SZ;
+		if (datalen) {
+			memcpy(cp, data, datalen);
+			cp += datalen;
+		}
+		hp->ancount = htons(1);
+		break;
+
+	default:
+		return ISC_R_NOTIMPLEMENTED;
+	}
+	*rbuflen = cp - ((u_char *)buf);
+	return ISC_R_SUCCESS;
+}
diff --git a/contrib/isc-dhcp/minires/res_mkupdate.c b/contrib/isc-dhcp/minires/res_mkupdate.c
new file mode 100644
index 0000000..5520a83
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_mkupdate.c
@@ -0,0 +1,1101 @@
+/*
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Based on the Dynamic DNS reference implementation by Viraj Bais
+ * <viraj_bais@ccm.fm.intel.com>
+ */
+
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_mkupdate.c,v 1.7 2001/01/11 02:16:24 mellon Exp $";
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+#define MAXPORT 1024
+
+static int getnum_str(const u_char **, const u_char *);
+static int gethexnum_str(const u_char **, const u_char *);
+static int getword_str(char *, int,
+		       const unsigned char **,
+		       const unsigned char *);
+static int getstr_str(char *, int, const u_char **, const u_char *);
+
+struct valuelist {
+	struct valuelist *	next;
+	struct valuelist *	prev;
+	char *			name;
+	char *			proto;
+	int			port;
+};
+
+static int findservice(const char *, struct valuelist **);
+static struct servent *cgetservbyport(unsigned, const char *);
+
+#define ShrinkBuffer(x)  if ((buflen -= x) < 0) return (-2);
+
+/* Forward. */
+
+int res_protocolnumber(const char *);
+int res_servicenumber(const char *);
+static struct protoent *cgetprotobynumber(int);
+
+/*
+ * Form update packets.
+ * Returns the size of the resulting packet if no error
+ * On error,
+ *	returns -1 if error in reading a word/number in rdata
+ *		   portion for update packets
+ *		-2 if length of buffer passed is insufficient
+ *		-3 if zone section is not the first section in
+ *		   the linked list, or section order has a problem
+ *		-4 on a number overflow
+ *		-5 unknown operation or no records
+ */
+int
+res_nmkupdate(res_state statp,
+	      ns_updrec *rrecp_in, double *bp, unsigned *blp) {
+	ns_updrec *rrecp_start = rrecp_in;
+	HEADER *hp;
+	u_char *cp, *sp1, *sp2;
+	const unsigned char *startp, *endp;
+	int n, i, soanum, multiline;
+	ns_updrec *rrecp;
+	struct in_addr ina;
+        char buf2[MAXDNAME];
+	u_char buf3[MAXDNAME];
+	int section, numrrs = 0, counts[ns_s_max];
+	u_int16_t rtype, rclass;
+	u_int32_t n1, rttl;
+	u_char *dnptrs[20], **dpp, **lastdnptr;
+	unsigned siglen, keylen, certlen;
+	unsigned buflen = *blp;
+	u_char *buf = (unsigned char *)bp;
+
+	/*
+	 * Initialize header fields.
+	 */
+	if ((buf == NULL) || (buflen < HFIXEDSZ))
+		return -1;
+	memset(buf, 0, HFIXEDSZ);
+	hp = (HEADER *) buf;
+	hp->id = htons(++statp->id);
+	hp->opcode = ns_o_update;
+	hp->rcode = NOERROR;
+	sp1 = buf + 2*INT16SZ;  /* save pointer to zocount */
+	cp = buf + HFIXEDSZ;
+	buflen -= HFIXEDSZ;
+	dpp = dnptrs;
+	*dpp++ = buf;
+	*dpp++ = NULL;
+	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
+
+	if (rrecp_start == NULL)
+		return (-5);
+	else if (rrecp_start->r_section != S_ZONE)
+		return (-3);
+
+	memset(counts, 0, sizeof counts);
+	for (rrecp = rrecp_start; rrecp; rrecp = ISC_LIST_NEXT(rrecp,
+							       r_glink)) {
+		numrrs++;
+                section = rrecp->r_section;
+		if (section < 0 || section >= ns_s_max)
+			return (-1);
+		counts[section]++;
+		for (i = section + 1; i < ns_s_max; i++)
+			if (counts[i])
+				return (-3);
+		rtype = rrecp->r_type;
+		rclass = rrecp->r_class;
+		rttl = rrecp->r_ttl;
+		/* overload class and type */
+		if (section == S_PREREQ) {
+			rttl = 0;
+			switch (rrecp->r_opcode) {
+			case YXDOMAIN:
+				rclass = C_ANY;
+				rtype = T_ANY;
+				rrecp->r_size = 0;
+				break;
+			case NXDOMAIN:
+				rclass = C_NONE;
+				rtype = T_ANY;
+				rrecp->r_size = 0;
+				break;
+			case NXRRSET:
+				rclass = C_NONE;
+				rrecp->r_size = 0;
+				break;
+			case YXRRSET:
+				if (rrecp->r_size == 0)
+					rclass = C_ANY;
+				break;
+			default:
+				fprintf(stderr,
+					"res_mkupdate: incorrect opcode: %d\n",
+					rrecp->r_opcode);
+				fflush(stderr);
+				return (-1);
+			}
+		} else if (section == S_UPDATE) {
+			switch (rrecp->r_opcode) {
+			case DELETE:
+				rclass = rrecp->r_size == 0 ? C_ANY : C_NONE;
+				break;
+			case ADD:
+				break;
+			default:
+				fprintf(stderr,
+					"res_mkupdate: incorrect opcode: %d\n",
+					rrecp->r_opcode);
+				fflush(stderr);
+				return (-1);
+			}
+		}
+
+		/*
+		 * XXX	appending default domain to owner name is omitted,
+		 *	fqdn must be provided
+		 */
+		if ((n = dn_comp(rrecp->r_dname, cp, buflen, dnptrs,
+				 lastdnptr)) < 0)
+			return (-1);
+		cp += n;
+		ShrinkBuffer(n + 2*INT16SZ);
+		PUTSHORT(rtype, cp);
+		PUTSHORT(rclass, cp);
+		if (section == S_ZONE) {
+			if (numrrs != 1 || rrecp->r_type != T_SOA)
+				return (-3);
+			continue;
+		}
+		ShrinkBuffer(INT32SZ + INT16SZ);
+		PUTLONG(rttl, cp);
+		sp2 = cp;  /* save pointer to length byte */
+		cp += INT16SZ;
+		if (rrecp->r_size == 0) {
+			if (section == S_UPDATE && rclass != C_ANY)
+				return (-1);
+			else {
+				PUTSHORT(0, sp2);
+				continue;
+			}
+		}
+		startp = rrecp->r_data;
+		endp = startp + rrecp->r_size - 1;
+		/* XXX this should be done centrally. */
+		switch (rrecp->r_type) {
+		case T_A:
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if (!inet_aton(buf2, &ina))
+				return (-1);
+			n1 = ntohl(ina.s_addr);
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(n1, cp);
+			break;
+		case T_CNAME:
+		case T_MB:
+		case T_MG:
+		case T_MR:
+		case T_NS:
+		case T_PTR:
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_MINFO:
+		case T_SOA:
+		case T_RP:
+			for (i = 0; i < 2; i++) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+				return (-1);
+				n = dn_comp(buf2, cp, buflen,
+					    dnptrs, lastdnptr);
+				if (n < 0)
+					return (-1);
+				cp += n;
+				ShrinkBuffer(n);
+			}
+			if (rrecp->r_type == T_SOA) {
+				ShrinkBuffer(5 * INT32SZ);
+				while (isspace(*startp) || !*startp)
+					startp++;
+				if (*startp == '(') {
+					multiline = 1;
+					startp++;
+				} else
+					multiline = 0;
+				/* serial, refresh, retry, expire, minimum */
+				for (i = 0; i < 5; i++) {
+					soanum = getnum_str(&startp, endp);
+					if (soanum < 0)
+						return (-1);
+					PUTLONG(soanum, cp);
+				}
+				if (multiline) {
+					while (isspace(*startp) || !*startp)
+						startp++;
+					if (*startp != ')')
+						return (-1);
+				}
+			}
+			break;
+		case T_MX:
+		case T_AFSDB:
+		case T_RT:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_SRV:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_PX:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			PUTSHORT(n, cp);
+			ShrinkBuffer(INT16SZ);
+			for (i = 0; i < 2; i++) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					return (-1);
+				n = dn_comp(buf2, cp, buflen, dnptrs,
+					    lastdnptr);
+				if (n < 0)
+					return (-1);
+				cp += n;
+				ShrinkBuffer(n);
+			}
+			break;
+		case T_WKS: {
+			char bm[MAXPORT/8];
+			unsigned maxbm = 0;
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if (!inet_aton(buf2, &ina))
+				return (-1);
+			n1 = ntohl(ina.s_addr);
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(n1, cp);
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if ((i = res_protocolnumber(buf2)) < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = i & 0xff;
+			 
+			for (i = 0; i < MAXPORT/8 ; i++)
+				bm[i] = 0;
+
+			while (getword_str(buf2, sizeof buf2, &startp, endp)) {
+				if ((n1 = res_servicenumber(buf2)) <= 0)
+					return (-1);
+
+				if (n1 < MAXPORT) {
+					bm[n1/8] |= (0x80>>(n1%8));
+					if (n1 > maxbm)
+						maxbm = n1;
+				} else
+					return (-1);
+			}
+			maxbm = maxbm/8 + 1;
+			ShrinkBuffer(maxbm);
+			memcpy(cp, bm, maxbm);
+			cp += maxbm;
+			break;
+		}
+		case T_HINFO:
+			for (i = 0; i < 2; i++) {
+				if ((n = getstr_str(buf2, sizeof buf2,
+						&startp, endp)) < 0)
+					return (-1);
+				if (n > 255)
+					return (-1);
+				ShrinkBuffer(n+1);
+				*cp++ = n;
+				memcpy(cp, buf2, (unsigned)n);
+				cp += n;
+			}
+			break;
+		case T_TXT:
+			while (1) {
+				if ((n = getstr_str(buf2, sizeof buf2,
+						&startp, endp)) < 0) {
+					if (cp != (sp2 + INT16SZ))
+						break;
+					return (-1);
+				}
+				if (n > 255)
+					return (-1);
+				ShrinkBuffer(n+1);
+				*cp++ = n;
+				memcpy(cp, buf2, (unsigned)n);
+				cp += n;
+			}
+			break;
+		case T_X25:
+			/* RFC 1183 */
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				return (-1);
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, (unsigned)n);
+			cp += n;
+			break;
+		case T_ISDN:
+			/* RFC 1183 */
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				return (-1);
+			if ((n > 255) || (n == 0))
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, (unsigned)n);
+			cp += n;
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				n = 0;
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, (unsigned)n);
+			cp += n;
+			break;
+#if 0
+		case T_NSAP:
+			if ((n = inet_nsap_addr((char *)startp, (u_char *)buf2, sizeof(buf2))) != 0) {
+				ShrinkBuffer(n);
+				memcpy(cp, buf2, n);
+				cp += n;
+			} else {
+				return (-1);
+			}
+			break;
+		case T_LOC:
+			if ((n = loc_aton((char *)startp, (u_char *)buf2)) != 0) {
+				ShrinkBuffer(n);
+				memcpy(cp, buf2, n);
+				cp += n;
+			} else
+				return (-1);
+			break;
+		case ns_t_sig:
+		    {
+			int sig_type, success, dateerror;
+			u_int32_t exptime, timesigned;
+
+			/* type */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			sig_type = sym_ston(__p_type_syms, buf2, &success);
+			if (!success || sig_type == ns_t_any)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(sig_type, cp);
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* labels */
+			n = getnum_str(&startp, endp);
+			if (n <= 0 || n > 255)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* ottl  & expire */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			exptime = ns_datetosecs(buf2, &dateerror);
+			if (!dateerror) {
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(rttl, cp);
+			}
+			else {
+				char *ulendp;
+				u_int32_t ottl;
+
+				ottl = strtoul(buf2, &ulendp, 10);
+				if (ulendp != NULL && *ulendp != '\0')
+					return (-1);
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(ottl, cp);
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					return (-1);
+				exptime = ns_datetosecs(buf2, &dateerror);
+				if (dateerror)
+					return (-1);
+			}
+			/* expire */
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(exptime, cp);
+			/* timesigned */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			timesigned = ns_datetosecs(buf2, &dateerror);
+			if (!dateerror) {
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(timesigned, cp);
+			}
+			else
+				return (-1);
+			/* footprint */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* signer name */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			/* sig */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			siglen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (siglen < 0)
+				return (-1);
+			ShrinkBuffer(siglen);
+			memcpy(cp, buf3, siglen);
+			cp += siglen;
+			break;
+		    }
+		case ns_t_key:
+			/* flags */
+			n = gethexnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* proto */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* key */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			keylen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (keylen < 0)
+				return (-1);
+			ShrinkBuffer(keylen);
+			memcpy(cp, buf3, keylen);
+			cp += keylen;
+			break;
+		case ns_t_nxt:
+		    {
+			int success, nxt_type;
+			u_char data[32];
+			int maxtype;
+
+			/* next name */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			maxtype = 0;
+			memset(data, 0, sizeof data);
+			while (1) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					break;
+				nxt_type = sym_ston(__p_type_syms, buf2,
+						    &success);
+				if (!success || !ns_t_rr_p(nxt_type))
+					return (-1);
+				NS_NXT_BIT_SET(nxt_type, data);
+				if (nxt_type > maxtype)
+					maxtype = nxt_type;
+			}
+			n = maxtype/NS_NXT_BITS+1;
+			ShrinkBuffer(n);
+			memcpy(cp, data, n);
+			cp += n;
+			break;
+		    }
+		case ns_t_cert:
+			/* type */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* key tag */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* cert */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			certlen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (certlen < 0)
+				return (-1);
+			ShrinkBuffer(certlen);
+			memcpy(cp, buf3, certlen);
+			cp += certlen;
+			break;
+#endif
+		default:
+			return (-1);
+		} /*switch*/
+		n = (u_int16_t)((cp - sp2) - INT16SZ);
+		PUTSHORT(n, sp2);
+	} /*for*/
+		
+	hp->qdcount = htons(counts[0]);
+	hp->ancount = htons(counts[1]);
+	hp->nscount = htons(counts[2]);
+	hp->arcount = htons(counts[3]);
+	*blp = cp - buf;
+	return 0;
+}
+
+/*
+ * Get a whitespace delimited word from a string (not file)
+ * into buf. modify the start pointer to point after the
+ * word in the string.
+ */
+static int
+getword_str(char *buf, int size, const u_char **startpp, const u_char *endp) {
+        char *cp;
+        int c;
+ 
+        for (cp = buf; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (cp != buf) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                (*startpp)++;
+                if (cp >= buf+size-1)
+                        break;
+                *cp++ = (u_char)c;
+        }
+        *cp = '\0';
+        return (cp != buf);
+}
+
+/*
+ * get a white spae delimited string from memory.  Process quoted strings
+ * and \DDD escapes.  Return length or -1 on error.  Returned string may
+ * contain nulls.
+ */
+static char digits[] = "0123456789";
+static int
+getstr_str(char *buf, int size, const u_char **startpp, const u_char *endp) {
+        char *cp;
+        int c, c1 = 0;
+	int inquote = 0;
+	int seen_quote = 0;
+	int escape = 0;
+	int dig = 0;
+ 
+	for (cp = buf; *startpp <= endp; ) {
+                if ((c = **startpp) == '\0')
+			break;
+		/* leading white space */
+		if ((cp == buf) && !seen_quote && isspace(c)) {
+			(*startpp)++;
+			continue;
+		}
+
+		switch (c) {
+		case '\\':
+			if (!escape)  {
+				escape = 1;
+				dig = 0;
+				c1 = 0;
+				(*startpp)++;
+				continue;
+			} 
+			goto do_escape;
+		case '"':
+			if (!escape) {
+				inquote = !inquote;
+				seen_quote = 1;
+				(*startpp)++;
+				continue;
+			}
+			/* fall through */
+		default:
+		do_escape:
+			if (escape) {
+				switch (c) {
+				case '0':
+				case '1':
+				case '2':
+				case '3':
+				case '4':
+				case '5':
+				case '6':
+				case '7':
+				case '8':
+				case '9':
+					c1 = c1 * 10 + 
+						(strchr(digits, c) - digits);
+
+					if (++dig == 3) {
+						c = c1 &0xff;
+						break;
+					}
+					(*startpp)++;
+					continue;
+				}
+				escape = 0;
+			} else if (!inquote && isspace(c))
+				goto done;
+			if (cp >= buf+size-1)
+				goto done;
+			*cp++ = (u_char)c;
+			(*startpp)++;
+		}
+	}
+ done:
+	*cp = '\0';
+	return ((cp == buf)?  (seen_quote? 0: -1): (cp - buf));
+}
+/*
+ * Get a whitespace delimited base 16 number from a string (not file) into buf
+ * update the start pointer to point after the number in the string.
+ */
+static int
+gethexnum_str(const u_char **startpp, const u_char *endp) {
+        int c, n;
+        int seendigit = 0;
+        int m = 0;
+
+	if (*startpp + 2 >= endp ||
+	    strncasecmp((const char *)*startpp, "0x", 2) != 0)
+		return getnum_str(startpp, endp);
+	(*startpp)+=2;
+        for (n = 0; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (seendigit) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                if (c == ';') {
+                        while ((*startpp <= endp) &&
+			       ((c = **startpp) != '\n'))
+					(*startpp)++;
+                        if (seendigit)
+                                break;
+                        continue;
+                }
+                if (!isxdigit(c)) {
+                        if (c == ')' && seendigit) {
+                                (*startpp)--;
+                                break;
+                        }
+			return (-1);
+                }        
+                (*startpp)++;
+		if (isdigit(c))
+	                n = n * 16 + (c - '0');
+		else
+			n = n * 16 + (tolower(c) - 'a' + 10);
+                seendigit = 1;
+        }
+        return (n + m);
+}
+
+/*
+ * Get a whitespace delimited base 16 number from a string (not file) into buf
+ * update the start pointer to point after the number in the string.
+ */
+static int
+getnum_str(const u_char **startpp, const u_char *endp) {
+        int c, n;
+        int seendigit = 0;
+        int m = 0;
+
+        for (n = 0; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (seendigit) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                if (c == ';') {
+                        while ((*startpp <= endp) &&
+			       ((c = **startpp) != '\n'))
+					(*startpp)++;
+                        if (seendigit)
+                                break;
+                        continue;
+                }
+                if (!isdigit(c)) {
+                        if (c == ')' && seendigit) {
+                                (*startpp)--;
+                                break;
+                        }
+			return (-1);
+                }        
+                (*startpp)++;
+                n = n * 10 + (c - '0');
+                seendigit = 1;
+        }
+        return (n + m);
+}
+
+/*
+ * Allocate a resource record buffer & save rr info.
+ */
+ns_updrec *
+res_mkupdrec(int section, const char *dname,
+	     u_int class, u_int type, u_long ttl) {
+	ns_updrec *rrecp = (ns_updrec *)calloc(1, sizeof(ns_updrec));
+
+	if (!rrecp || !(rrecp->r_dname = strdup(dname))) {
+		if (rrecp)
+			free((char *)rrecp);
+		return (NULL);
+	}
+ 	rrecp->r_class = class;
+	rrecp->r_type = type;
+	rrecp->r_ttl = ttl;
+	rrecp->r_section = section;
+	return (rrecp);
+}
+
+/*
+ * Free a resource record buffer created by res_mkupdrec.
+ */
+void
+res_freeupdrec(ns_updrec *rrecp) {
+	/* Note: freeing r_dp is the caller's responsibility. */
+	if (rrecp->r_dname != NULL)
+		free(rrecp->r_dname);
+	free(rrecp);
+}
+
+static struct valuelist *servicelist, *protolist;
+
+void
+res_buildservicelist() {
+	struct servent *sp;
+	struct valuelist *slp;
+
+#ifdef MAYBE_HESIOD
+	setservent(0);
+#else
+	setservent(1);
+#endif
+	while ((sp = getservent()) != NULL) {
+		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
+		if (!slp)
+			break;
+		slp->name = strdup(sp->s_name);
+		slp->proto = strdup(sp->s_proto);
+		if ((slp->name == NULL) || (slp->proto == NULL)) {
+			if (slp->name) free(slp->name);
+			if (slp->proto) free(slp->proto);
+			free(slp);
+			break;
+		}
+		slp->port = ntohs((u_int16_t)sp->s_port);  /* host byt order */
+		slp->next = servicelist;
+		slp->prev = NULL;
+		if (servicelist)
+			servicelist->prev = slp;
+		servicelist = slp;
+	}
+	endservent();
+}
+
+void
+res_destroyservicelist() {
+	struct valuelist *slp, *slp_next;
+
+	for (slp = servicelist; slp != NULL; slp = slp_next) {
+		slp_next = slp->next;
+		free(slp->name);
+		free(slp->proto);
+		free(slp);
+	}
+	servicelist = (struct valuelist *)0;
+}
+
+void
+res_buildprotolist() {
+	struct protoent *pp;
+	struct valuelist *slp;
+
+#ifdef MAYBE_HESIOD
+	setprotoent(0);
+#else
+	setprotoent(1);
+#endif
+	while ((pp = getprotoent()) != NULL) {
+		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
+		if (!slp)
+			break;
+		slp->name = strdup(pp->p_name);
+		if (slp->name == NULL) {
+			free(slp);
+			break;
+		}
+		slp->port = pp->p_proto;	/* host byte order */
+		slp->next = protolist;
+		slp->prev = NULL;
+		if (protolist)
+			protolist->prev = slp;
+		protolist = slp;
+	}
+	endprotoent();
+}
+
+void
+res_destroyprotolist() {
+	struct valuelist *plp, *plp_next;
+
+	for (plp = protolist; plp != NULL; plp = plp_next) {
+		plp_next = plp->next;
+		free(plp->name);
+		free(plp);
+	}
+	protolist = (struct valuelist *)0;
+}
+
+static int
+findservice(const char *s, struct valuelist **list) {
+	struct valuelist *lp = *list;
+	int n;
+
+	for (; lp != NULL; lp = lp->next)
+		if (strcasecmp(lp->name, s) == 0) {
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			return (lp->port);	/* host byte order */
+		}
+	if (sscanf(s, "%d", &n) != 1 || n <= 0)
+		n = -1;
+	return (n);
+}
+
+/*
+ * Convert service name or (ascii) number to int.
+ */
+int
+res_servicenumber(const char *p) {
+	if (servicelist == (struct valuelist *)0)
+		res_buildservicelist();
+	return (findservice(p, &servicelist));
+}
+
+/*
+ * Convert protocol name or (ascii) number to int.
+ */
+int
+res_protocolnumber(const char *p) {
+	if (protolist == (struct valuelist *)0)
+		res_buildprotolist();
+	return (findservice(p, &protolist));
+}
+
+static struct servent *
+cgetservbyport(unsigned port, const char *proto) {	/* Host byte order. */
+	struct valuelist **list = &servicelist;
+	struct valuelist *lp = *list;
+	static struct servent serv;
+
+	port = ntohs(port);
+	for (; lp != NULL; lp = lp->next) {
+		if (port != (u_int16_t)lp->port)	/* Host byte order. */
+			continue;
+		if (strcasecmp(lp->proto, proto) == 0) {
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			serv.s_name = lp->name;
+			serv.s_port = htons((u_int16_t)lp->port);
+			serv.s_proto = lp->proto;
+			return (&serv);
+		}
+	}
+	return (0);
+}
+
+static struct protoent *
+cgetprotobynumber(int proto) {				/* Host byte order. */
+	struct valuelist **list = &protolist;
+	struct valuelist *lp = *list;
+	static struct protoent prot;
+
+	for (; lp != NULL; lp = lp->next)
+		if (lp->port == proto) {		/* Host byte order. */
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			prot.p_name = lp->name;
+			prot.p_proto = lp->port;	/* Host byte order. */
+			return (&prot);
+		}
+	return (0);
+}
+
+const char *
+res_protocolname(int num) {
+	static char number[8];
+	struct protoent *pp;
+
+	if (protolist == (struct valuelist *)0)
+		res_buildprotolist();
+	pp = cgetprotobynumber(num);
+	if (pp == 0)  {
+		(void) sprintf(number, "%d", num);
+		return (number);
+	}
+	return (pp->p_name);
+}
+
+const char *
+res_servicename(u_int16_t port, const char *proto) {	/* Host byte order. */
+	static char number[8];
+	struct servent *ss;
+
+	if (servicelist == (struct valuelist *)0)
+		res_buildservicelist();
+	ss = cgetservbyport(htons(port), proto);
+	if (ss == 0)  {
+		(void) sprintf(number, "%d", port);
+		return (number);
+	}
+	return (ss->s_name);
+}
diff --git a/contrib/isc-dhcp/minires/res_query.c b/contrib/isc-dhcp/minires/res_query.c
new file mode 100644
index 0000000..412da65
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_query.c
@@ -0,0 +1,413 @@
+/*
+ * Copyright (c) 1988, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_query.c,v 1.4 2001/01/16 22:33:15 mellon Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+
+#if PACKETSZ > 1024
+#define MAXPACKET	PACKETSZ
+#else
+#define MAXPACKET	1024
+#endif
+
+/*
+ * Formulate a normal query, send, and await answer.
+ * Returned answer is placed in supplied buffer "answer".
+ * Perform preliminary check of answer, returning success only
+ * if no error is indicated and the answer count is nonzero.
+ * Return the size of the response on success, -1 on error.
+ * Error number is left in H_ERRNO.
+ *
+ * Caller must parse answer and determine whether it answers the question.
+ */
+isc_result_t
+res_nquery(res_state statp,
+	   const char *name,	/* domain name */
+	   ns_class class, ns_type type, /* class and type of query */
+	   double *answer,	/* buffer to put answer */
+	   unsigned anslen,
+	   unsigned *ansret)	/* size of answer buffer */
+{
+	double buf[MAXPACKET / sizeof (double)];
+	HEADER *hp = (HEADER *) answer;
+	unsigned n;
+	isc_result_t rcode;
+
+	hp->rcode = NOERROR;	/* default */
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_query(%s, %d, %d)\n", name, class, type);
+#endif
+
+	rcode = res_nmkquery(statp, QUERY, name, class, type, NULL, 0, NULL,
+			     buf, sizeof(buf), &n);
+	if (rcode != ISC_R_SUCCESS) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; res_query: mkquery failed\n");
+#endif
+		RES_SET_H_ERRNO(statp, NO_RECOVERY);
+		return rcode;
+	}
+	rcode = res_nsend(statp, buf, n, answer, anslen, &n);
+	if (rcode != ISC_R_SUCCESS) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; res_query: send error\n");
+#endif
+		RES_SET_H_ERRNO(statp, TRY_AGAIN);
+		return rcode;
+	}
+
+	if (hp->rcode != NOERROR || ntohs(hp->ancount) == 0) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; rcode = %d, ancount=%d\n", hp->rcode,
+			    ntohs(hp->ancount));
+#endif
+		switch (hp->rcode) {
+		case NXDOMAIN:
+			RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);
+			break;
+		case SERVFAIL:
+			RES_SET_H_ERRNO(statp, TRY_AGAIN);
+			break;
+		case NOERROR:
+			RES_SET_H_ERRNO(statp, NO_DATA);
+			break;
+		case FORMERR:
+		case NOTIMP:
+		case REFUSED:
+		default:
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			break;
+		}
+		return ns_rcode_to_isc (hp -> rcode);
+	}
+	*ansret = n;
+	return ISC_R_SUCCESS;
+}
+
+#if 0
+/*
+ * Formulate a normal query, send, and retrieve answer in supplied buffer.
+ * Return the size of the response on success, -1 on error.
+ * If enabled, implement search rules until answer or unrecoverable failure
+ * is detected.  Error code, if any, is left in H_ERRNO.
+ */
+isc_result_t
+res_nsearch(res_state statp,
+	    const char *name,	/* domain name */
+	    ns_class class, ns_type type, /* class and type of query */
+	    double *answer,	/* buffer to put answer */
+	    unsigned anslen,
+	    unsigned *ansret)		/* size of answer */
+{
+	const char *cp, * const *domain;
+	HEADER *hp = (HEADER *) answer;
+	char tmp[NS_MAXDNAME];
+	u_int dots;
+	int trailing_dot, ret;
+	int got_nodata = 0, got_servfail = 0, root_on_list = 0;
+	isc_result_t rcode;
+
+	errno = 0;
+	RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);  /* True if we never query. */
+
+	dots = 0;
+	for (cp = name; *cp != '\0'; cp++)
+		dots += (*cp == '.');
+	trailing_dot = 0;
+	if (cp > name && *--cp == '.')
+		trailing_dot++;
+
+	/* If there aren't any dots, it could be a user-level alias. */
+	if (!dots && (cp = res_hostalias(statp, name, tmp, sizeof tmp))!= NULL)
+		return res_nquery(statp, cp, class, type,
+				  answer, anslen, ansret);
+
+	/*
+	 * If there are enough dots in the name, do no searching.
+	 * (The threshold can be set with the "ndots" option.)
+	 */
+	if (dots >= statp->ndots || trailing_dot)
+		return res_nquerydomain(statp, name, NULL, class, type,
+					answer, anslen, ansret);
+
+	/*
+	 * We do at least one level of search if
+	 *	- there is no dot and RES_DEFNAME is set, or
+	 *	- there is at least one dot, there is no trailing dot,
+	 *	  and RES_DNSRCH is set.
+	 */
+	if ((!dots && (statp->options & RES_DEFNAMES) != 0) ||
+	    (dots && !trailing_dot && (statp->options & RES_DNSRCH) != 0)) {
+		int done = 0;
+
+		for (domain = (const char * const *)statp->dnsrch;
+		     *domain && !done;
+		     domain++) {
+
+			if (domain[0][0] == '\0' ||
+			    (domain[0][0] == '.' && domain[0][1] == '\0'))
+				root_on_list++;
+
+			rcode = res_nquerydomain(statp, name, *domain,
+						 class, type,
+						 answer, anslen, &ret);
+			if (rcode == ISC_R_SUCCESS && ret > 0) {
+				*ansret = ret;
+				return rcode;
+			}
+
+			/*
+			 * If no server present, give up.
+			 * If name isn't found in this domain,
+			 * keep trying higher domains in the search list
+			 * (if that's enabled).
+			 * On a NO_DATA error, keep trying, otherwise
+			 * a wildcard entry of another type could keep us
+			 * from finding this entry higher in the domain.
+			 * If we get some other error (negative answer or
+			 * server failure), then stop searching up,
+			 * but try the input name below in case it's
+			 * fully-qualified.
+			 */
+			if (errno == ECONNREFUSED) {
+				RES_SET_H_ERRNO(statp, TRY_AGAIN);
+				return ISC_R_CONNREFUSED;
+			}
+
+			switch (statp->res_h_errno) {
+			case NO_DATA:
+				got_nodata++;
+				/* FALLTHROUGH */
+			case HOST_NOT_FOUND:
+				/* keep trying */
+				break;
+			case TRY_AGAIN:
+				if (hp->rcode == SERVFAIL) {
+					/* try next search element, if any */
+					got_servfail++;
+					break;
+				}
+				/* FALLTHROUGH */
+			default:
+				/* anything else implies that we're done */
+				done++;
+			}
+
+			/* if we got here for some reason other than DNSRCH,
+			 * we only wanted one iteration of the loop, so stop.
+			 */
+			if ((statp->options & RES_DNSRCH) == 0)
+				done++;
+		}
+	}
+
+	/*
+	 * If the name has any dots at all, and "." is not on the search
+	 * list, then try an as-is query now.
+	 */
+	if (statp->ndots) {
+		rcode = res_nquerydomain(statp, name, NULL, class, type,
+					 answer, anslen, &ret);
+		if (rcode == ISC_R_SUCCESS && ret > 0) {
+			*ansret = ret;
+			return rcode;
+		}
+	}
+
+	/* if we got here, we didn't satisfy the search.
+	 * if we did an initial full query, return that query's H_ERRNO
+	 * (note that we wouldn't be here if that query had succeeded).
+	 * else if we ever got a nodata, send that back as the reason.
+	 * else send back meaningless H_ERRNO, that being the one from
+	 * the last DNSRCH we did.
+	 */
+	if (got_nodata) {
+		RES_SET_H_ERRNO(statp, NO_DATA);
+		return ISC_R_NOTFOUND;
+	} else if (got_servfail) {
+		RES_SET_H_ERRNO(statp, TRY_AGAIN);
+		return ISC_R_TIMEDOUT;
+	}
+	return ISC_R_UNEXPECTED;
+}
+#endif
+
+/*
+ * Perform a call on res_query on the concatenation of name and domain,
+ * removing a trailing dot from name if domain is NULL.
+ */
+isc_result_t
+res_nquerydomain(res_state statp,
+		 const char *name,
+		 const char *domain,
+		 ns_class class, ns_type type,
+		 double *answer,
+		 unsigned anslen,
+		 unsigned *ansret)
+{
+	char nbuf[MAXDNAME];
+	const char *longname = nbuf;
+	int n, d;
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_nquerydomain(%s, %s, %d, %d)\n",
+		       name, domain?domain:"<Nil>", class, type);
+#endif
+	if (domain == NULL) {
+		/*
+		 * Check for trailing '.';
+		 * copy without '.' if present.
+		 */
+		n = strlen(name);
+		if (n >= MAXDNAME) {
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			return ISC_R_NOSPACE;
+		}
+		n--;
+		if (n >= 0 && name[n] == '.') {
+			strncpy(nbuf, name, (unsigned)n);
+			nbuf[n] = '\0';
+		} else
+			longname = name;
+	} else {
+		n = strlen(name);
+		d = strlen(domain);
+		if (n + d + 1 >= MAXDNAME) {
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			return ISC_R_NOSPACE;
+		}
+		sprintf(nbuf, "%s.%s", name, domain);
+	}
+	return res_nquery(statp,
+			  longname, class, type, answer, anslen, ansret);
+}
+
+const char *
+res_hostalias(const res_state statp, const char *name, char *dst, size_t siz) {
+	char *file, *cp1, *cp2;
+	char buf[BUFSIZ];
+	FILE *fp;
+
+	if (statp->options & RES_NOALIASES)
+		return (NULL);
+	file = getenv("HOSTALIASES");
+	if (file == NULL || (fp = fopen(file, "r")) == NULL)
+		return (NULL);
+	setbuf(fp, NULL);
+	buf[sizeof(buf) - 1] = '\0';
+	while (fgets(buf, sizeof(buf), fp)) {
+		for (cp1 = buf; *cp1 && !isspace(*cp1); ++cp1)
+			;
+		if (!*cp1)
+			break;
+		*cp1 = '\0';
+		if (ns_samename(buf, name) == 1) {
+			while (isspace(*++cp1))
+				;
+			if (!*cp1)
+				break;
+			for (cp2 = cp1 + 1; *cp2 && !isspace(*cp2); ++cp2)
+				;
+			*cp2 = '\0';
+			strncpy(dst, cp1, siz - 1);
+			dst[siz - 1] = '\0';
+			fclose(fp);
+			return (dst);
+		}
+	}
+	fclose(fp);
+	return (NULL);
+}
diff --git a/contrib/isc-dhcp/minires/res_send.c b/contrib/isc-dhcp/minires/res_send.c
new file mode 100644
index 0000000..79946a4
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_send.c
@@ -0,0 +1,871 @@
+/*
+ * Copyright (c) 1985, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1996-2001 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_send.c,v 1.7 2001/02/22 07:28:25 mellon Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Rename the I/O functions in case we're tracing. */
+#define send		trace_mr_send
+#define recvfrom	trace_mr_recvfrom
+#define	read		trace_mr_read
+#define connect		trace_mr_connect
+#define socket		trace_mr_socket
+#define bind		trace_mr_bind
+#define close		trace_mr_close
+#define select		trace_mr_select
+#define time		trace_mr_time
+
+/*
+ * Send query to name server and wait for reply.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+#define	CHECK_SRVR_ADDR
+		
+static int cmpsock(struct sockaddr_in *a1, struct sockaddr_in *a2);
+void res_pquery(const res_state, const u_char *, int, FILE *);
+
+/* int
+ * res_isourserver(ina)
+ *	looks up "ina" in _res.ns_addr_list[]
+ * returns:
+ *	0  : not found
+ *	>0 : found
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_ourserver_p(const res_state statp, const struct sockaddr_in *inp) {
+	struct sockaddr_in ina;
+	int ns;
+
+	ina = *inp;
+	for (ns = 0;  ns < statp->nscount;  ns++) {
+		const struct sockaddr_in *srv = &statp->nsaddr_list[ns];
+
+		if (srv->sin_family == ina.sin_family &&
+		    srv->sin_port == ina.sin_port &&
+		    (srv->sin_addr.s_addr == INADDR_ANY ||
+		     srv->sin_addr.s_addr == ina.sin_addr.s_addr))
+			return (1);
+	}
+	return (0);
+}
+
+/* int
+ * res_nameinquery(name, type, class, buf, eom)
+ *	look for (name,type,class) in the query section of packet (buf,eom)
+ * requires:
+ *	buf + HFIXEDSZ <= eom
+ * returns:
+ *	-1 : format error
+ *	0  : not found
+ *	>0 : found
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_nameinquery(const char *name, int type, int class,
+		const u_char *buf, const u_char *eom)
+{
+	const u_char *cp = buf + HFIXEDSZ;
+	int qdcount = ntohs(((const HEADER *)buf)->qdcount);
+
+	while (qdcount-- > 0) {
+		char tname[MAXDNAME+1];
+		int n, ttype, tclass;
+
+		n = dn_expand(buf, eom, cp, tname, sizeof tname);
+		if (n < 0)
+			return (-1);
+		cp += n;
+		if (cp + 2 * INT16SZ > eom)
+			return (-1);
+		ttype = getUShort(cp); cp += INT16SZ;
+		tclass = getUShort(cp); cp += INT16SZ;
+		if (ttype == type && tclass == class &&
+		    ns_samename(tname, name) == 1)
+			return (1);
+	}
+	return (0);
+}
+
+/* int
+ * res_queriesmatch(buf1, eom1, buf2, eom2)
+ *	is there a 1:1 mapping of (name,type,class)
+ *	in (buf1,eom1) and (buf2,eom2)?
+ * returns:
+ *	-1 : format error
+ *	0  : not a 1:1 mapping
+ *	>0 : is a 1:1 mapping
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_queriesmatch(const u_char *buf1, const u_char *eom1,
+		 const u_char *buf2, const u_char *eom2)
+{
+	const u_char *cp = buf1 + HFIXEDSZ;
+	int qdcount = ntohs(((const HEADER *)buf1)->qdcount);
+
+	if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2)
+		return (-1);
+
+	/*
+	 * Only header section present in replies to
+	 * dynamic update packets.
+	 */
+	if ( (((const HEADER *)buf1)->opcode == ns_o_update) &&
+	     (((const HEADER *)buf2)->opcode == ns_o_update) )
+		return (1);
+
+	if (qdcount != ntohs(((const HEADER*)buf2)->qdcount))
+		return (0);
+	while (qdcount-- > 0) {
+		char tname[MAXDNAME+1];
+		int n, ttype, tclass;
+
+		n = dn_expand(buf1, eom1, cp, tname, sizeof tname);
+		if (n < 0)
+			return (-1);
+		cp += n;
+		if (cp + 2 * INT16SZ > eom1)
+			return (-1);
+		ttype = getUShort(cp);	cp += INT16SZ;
+		tclass = getUShort(cp); cp += INT16SZ;
+		if (!res_nameinquery(tname, ttype, tclass, buf2, eom2))
+			return (0);
+	}
+	return (1);
+}
+
+isc_result_t
+res_nsend(res_state statp,
+	  double *buf, unsigned buflen,
+	  double *ans, unsigned anssiz, unsigned *ansret)
+{
+	HEADER *hp = (HEADER *) buf;
+	HEADER *anhp = (HEADER *) ans;
+	int gotsomewhere, connreset, terrno, try, v_circuit, resplen, ns, n;
+	u_int badns;	/* XXX NSMAX can't exceed #/bits in this variable */
+	static int highestFD = FD_SETSIZE - 1;
+
+	if (anssiz < HFIXEDSZ) {
+		return ISC_R_INVALIDARG;
+	}
+	DprintQ((statp->options & RES_DEBUG) ||
+		(statp->pfcode & RES_PRF_QUERY),
+		(stdout, ";; res_send()\n"), buf, buflen);
+	v_circuit = (statp->options & RES_USEVC) || buflen > PACKETSZ;
+	gotsomewhere = 0;
+	connreset = 0;
+	terrno = ISC_R_TIMEDOUT;
+	badns = 0;
+
+	/*
+	 * Some callers want to even out the load on their resolver list.
+	 */
+	if (statp->nscount > 0 && (statp->options & RES_ROTATE) != 0) {
+		struct sockaddr_in ina;
+		int lastns = statp->nscount - 1;
+
+		ina = statp->nsaddr_list[0];
+		for (ns = 0; ns < lastns; ns++)
+			statp->nsaddr_list[ns] = statp->nsaddr_list[ns + 1];
+		statp->nsaddr_list[lastns] = ina;
+	}
+
+#if defined (TRACING)
+	trace_mr_statp_setup (statp);
+#endif
+
+	/*
+	 * Send request, RETRY times, or until successful
+	 */
+	for (try = 0; try < statp->retry; try++) {
+	    for (ns = 0; ns < statp->nscount; ns++) {
+		struct sockaddr_in *nsap = &statp->nsaddr_list[ns];
+ same_ns:
+		if (badns & (1 << ns)) {
+			res_nclose(statp);
+			goto next_ns;
+		}
+
+		if (statp->qhook) {
+			int done = 0, loops = 0;
+
+			do {
+				res_sendhookact act;
+
+				act = (*statp->qhook)(&nsap, &buf, &buflen,
+						      ans, anssiz, &resplen);
+				switch (act) {
+				case res_goahead:
+					done = 1;
+					break;
+				case res_nextns:
+					res_nclose(statp);
+					goto next_ns;
+				case res_done:
+					return (resplen);
+				case res_modified:
+					/* give the hook another try */
+					if (++loops < 42) /*doug adams*/
+						break;
+					/*FALLTHROUGH*/
+				case res_error:
+					/*FALLTHROUGH*/
+				default:
+					return ISC_R_UNEXPECTED;
+				}
+			} while (!done);
+		}
+
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; Querying server (# %d) address = %s\n",
+			ns + 1, inet_ntoa(nsap->sin_addr)));
+
+		if (v_circuit) {
+			int truncated;
+			struct iovec iov[2];
+			u_short len;
+			u_char *cp;
+
+			/* Use VC; at most one attempt per server. */
+			try = statp->retry;
+			truncated = 0;
+
+			/* Are we still talking to whom we want to talk to? */
+			if (statp->_sock >= 0 &&
+			    (statp->_flags & RES_F_VC) != 0) {
+				struct sockaddr_in peer;
+				SOCKLEN_T size = sizeof(peer);
+
+				if (getpeername(statp->_sock,
+						(struct sockaddr *)&peer,
+						&size) < 0) {
+					res_nclose(statp);
+					statp->_flags &= ~RES_F_VC;
+				} else if (!cmpsock(&peer, nsap)) {
+					res_nclose(statp);
+					statp->_flags &= ~RES_F_VC;
+				}
+			}
+
+			if (statp->_sock < 0 ||
+			    (statp->_flags & RES_F_VC) == 0) {
+				if (statp->_sock >= 0)
+					res_nclose(statp);
+
+				statp->_sock = socket(PF_INET,
+						       SOCK_STREAM, 0);
+				if (statp->_sock < 0 ||
+				    statp->_sock > highestFD) {
+					terrno = uerr2isc (errno);
+					Perror(statp, stderr,
+					       "socket(vc)", errno);
+					return (-1);
+				}
+				errno = 0;
+				if (connect(statp->_sock,
+					    (struct sockaddr *)nsap,
+					    sizeof *nsap) < 0) {
+					terrno = uerr2isc (errno);
+					Aerror(statp, stderr, "connect/vc",
+					       errno, *nsap);
+					badns |= (1 << ns);
+					res_nclose(statp);
+					goto next_ns;
+				}
+				statp->_flags |= RES_F_VC;
+			}
+			/*
+			 * Send length & message
+			 */
+			putUShort((u_char*)&len, buflen);
+			iov[0].iov_base = (caddr_t)&len;
+			iov[0].iov_len = INT16SZ;
+			iov[1].iov_base = (const caddr_t)buf;
+			iov[1].iov_len = buflen;
+			if (writev(statp->_sock, iov, 2) !=
+			    (INT16SZ + buflen)) {
+				terrno = uerr2isc (errno);
+				Perror(statp, stderr, "write failed", errno);
+				badns |= (1 << ns);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			/*
+			 * Receive length & response
+			 */
+ read_len:
+			cp = (u_char *)ans;
+			len = INT16SZ;
+			while ((n = read(statp->_sock,
+					 (char *)cp, (unsigned)len)) > 0) {
+				cp += n;
+				if ((len -= n) <= 0)
+					break;
+			}
+			if (n <= 0) {
+				terrno = uerr2isc (errno);
+				Perror(statp, stderr, "read failed", errno);
+				res_nclose(statp);
+				/*
+				 * A long running process might get its TCP
+				 * connection reset if the remote server was
+				 * restarted.  Requery the server instead of
+				 * trying a new one.  When there is only one
+				 * server, this means that a query might work
+				 * instead of failing.  We only allow one reset
+				 * per query to prevent looping.
+				 */
+				if (terrno == ISC_R_CONNREFUSED &&
+				    !connreset) {
+					connreset = 1;
+					res_nclose(statp);
+					goto same_ns;
+				}
+				res_nclose(statp);
+				goto next_ns;
+			}
+			resplen = getUShort ((unsigned char *)ans);
+			if (resplen > anssiz) {
+				Dprint(statp->options & RES_DEBUG,
+				       (stdout, ";; response truncated\n")
+				       );
+				truncated = 1;
+				len = anssiz;
+			} else
+				len = resplen;
+			if (len < HFIXEDSZ) {
+				/*
+				 * Undersized message.
+				 */
+				Dprint(statp->options & RES_DEBUG,
+				       (stdout, ";; undersized: %d\n", len));
+				terrno = ISC_R_NOSPACE;
+				badns |= (1 << ns);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			cp = (u_char *)ans;
+			while (len != 0 &&
+			       (n = read(statp->_sock,
+					 (char *)cp, (unsigned)len))
+			       > 0) {
+				cp += n;
+				len -= n;
+			}
+			if (n <= 0) {
+				terrno = uerr2isc (errno);
+				Perror(statp, stderr, "read(vc)", errno);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			if (truncated) {
+				/*
+				 * Flush rest of answer
+				 * so connection stays in synch.
+				 */
+				anhp->tc = 1;
+				len = resplen - anssiz;
+				while (len != 0) {
+					char junk[PACKETSZ];
+
+					n = (len > sizeof(junk)
+					     ? sizeof(junk)
+					     : len);
+					n = read(statp->_sock,
+						 junk, (unsigned)n);
+					if (n > 0)
+						len -= n;
+					else
+						break;
+				}
+			}
+			/*
+			 * The calling applicating has bailed out of
+			 * a previous call and failed to arrange to have
+			 * the circuit closed or the server has got
+			 * itself confused. Anyway drop the packet and
+			 * wait for the correct one.
+			 */
+			if (hp->id != anhp->id) {
+				DprintQ((statp->options & RES_DEBUG) ||
+					(statp->pfcode & RES_PRF_REPLY),
+					(stdout,
+					 ";; old answer (unexpected):\n"),
+					ans, (resplen>anssiz)?anssiz:resplen);
+				goto read_len;
+			}
+		} else {
+			/*
+			 * Use datagrams.
+			 */
+			int start, timeout, finish;
+			fd_set dsmask;
+			struct sockaddr_in from;
+			SOCKLEN_T fromlen;
+			int seconds;
+
+			if (statp->_sock < 0 ||
+			    (statp->_flags & RES_F_VC) != 0) {
+				if ((statp->_flags & RES_F_VC) != 0)
+					res_nclose(statp);
+				statp->_sock = socket(PF_INET, SOCK_DGRAM, 0);
+				if (statp->_sock < 0 ||
+				    statp->_sock > highestFD) {
+#ifndef CAN_RECONNECT
+ bad_dg_sock:
+#endif
+					terrno = uerr2isc (errno);
+					Perror(statp, stderr,
+					       "socket(dg)", errno);
+					return terrno;
+				}
+				statp->_flags &= ~RES_F_CONN;
+			}
+#ifndef CANNOT_CONNECT_DGRAM
+			/*
+			 * On a 4.3BSD+ machine (client and server,
+			 * actually), sending to a nameserver datagram
+			 * port with no nameserver will cause an
+			 * ICMP port unreachable message to be returned.
+			 * If our datagram socket is "connected" to the
+			 * server, we get an ECONNREFUSED error on the next
+			 * socket operation, and select returns if the
+			 * error message is received.  We can thus detect
+			 * the absence of a nameserver without timing out.
+			 * If we have sent queries to at least two servers,
+			 * however, we don't want to remain connected,
+			 * as we wish to receive answers from the first
+			 * server to respond.
+			 */
+			if (statp->nscount == 1 || (try == 0 && ns == 0)) {
+				/*
+				 * Connect only if we are sure we won't
+				 * receive a response from another server.
+				 */
+				if ((statp->_flags & RES_F_CONN) == 0) {
+					if (connect(statp->_sock,
+						    (struct sockaddr *)nsap,
+						    sizeof *nsap) < 0) {
+						Aerror(statp, stderr,
+						       "connect(dg)",
+						       errno, *nsap);
+						badns |= (1 << ns);
+						res_nclose(statp);
+						goto next_ns;
+					}
+					statp->_flags |= RES_F_CONN;
+				}
+                              if (send(statp->_sock,
+				       (const char*)buf, (unsigned)buflen, 0)
+				  != buflen) {
+					Perror(statp, stderr, "send", errno);
+					badns |= (1 << ns);
+					res_nclose(statp);
+					goto next_ns;
+				}
+			} else {
+				/*
+				 * Disconnect if we want to listen
+				 * for responses from more than one server.
+				 */
+				if ((statp->_flags & RES_F_CONN) != 0) {
+#ifdef CAN_RECONNECT
+					struct sockaddr_in no_addr;
+
+					no_addr.sin_family = AF_INET;
+					no_addr.sin_addr.s_addr = INADDR_ANY;
+					no_addr.sin_port = 0;
+					(void) connect(statp->_sock,
+						       (struct sockaddr *)
+						        &no_addr,
+						       sizeof no_addr);
+#else
+					struct sockaddr_in local_addr;
+					SOCKLEN_T len;
+					int result, s1;
+
+					len = sizeof(local_addr);
+					s1 = socket(PF_INET, SOCK_DGRAM, 0);
+					result = getsockname(statp->_sock,
+						(struct sockaddr *)&local_addr,
+							     &len);
+					if (s1 < 0)
+						goto bad_dg_sock;
+					(void) dup2(s1, statp->_sock);
+					(void) close(s1);
+					if (result == 0) {
+						/*
+						 * Attempt to rebind to old
+						 * port.  Note connected socket
+						 * has an sin_addr set.
+						 */
+						local_addr.sin_addr.s_addr =
+							htonl(0);
+						(void)bind(statp->_sock,
+							   (struct sockaddr *)
+							   &local_addr,
+							   (unsigned)len);
+					}
+					Dprint(statp->options & RES_DEBUG,
+					       (stdout, ";; new DG socket\n"))
+#endif /* CAN_RECONNECT */
+					statp->_flags &= ~RES_F_CONN;
+					errno = 0;
+				}
+#endif /* !CANNOT_CONNECT_DGRAM */
+				if (sendto(statp->_sock,
+					   (const char *)buf, buflen, 0,
+					   (struct sockaddr *)nsap,
+					   sizeof *nsap)
+				    != buflen) {
+					Aerror(statp, stderr, "sendto", errno, *nsap);
+					badns |= (1 << ns);
+					res_nclose(statp);
+					goto next_ns;
+				}
+#ifndef CANNOT_CONNECT_DGRAM
+			}
+#endif /* !CANNOT_CONNECT_DGRAM */
+
+			if (statp->_sock < 0 || statp->_sock > highestFD) {
+				Perror(statp, stderr,
+				       "fd out-of-bounds", EMFILE);
+				res_nclose(statp);
+				goto next_ns;
+			}
+
+			/*
+			 * Wait for reply
+			 */
+			seconds = (statp->retrans << try);
+			if (try > 0)
+				seconds /= statp->nscount;
+			if (seconds <= 0)
+				seconds = 1;
+			start = cur_time;
+			timeout = seconds;
+			finish = start + timeout;
+ wait:
+			FD_ZERO(&dsmask);
+			FD_SET(statp->_sock, &dsmask);
+			{
+				struct timeval t;
+				t.tv_sec = timeout;
+				t.tv_usec = 0;
+				n = select(statp->_sock + 1,
+					   &dsmask, NULL, NULL, &t);
+			}
+			if (n == 0) {
+				Dprint(statp->options & RES_DEBUG,
+				       (stdout, ";; timeout\n"));
+				gotsomewhere = 1;
+				goto next_ns;
+			}
+			if (n < 0) {
+				if (errno == EINTR) {
+					if (finish >= cur_time) {
+						timeout = finish - cur_time;
+						goto wait;
+					}
+				}
+				Perror(statp, stderr, "select", errno);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			errno = 0;
+			fromlen = sizeof(struct sockaddr_in);
+			resplen = recvfrom(statp->_sock,
+					   (char *)ans, anssiz, 0,
+					   (struct sockaddr *)&from, &fromlen);
+			if (resplen <= 0) {
+				Perror(statp, stderr, "recvfrom", errno);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			gotsomewhere = 1;
+			if (resplen < HFIXEDSZ) {
+				/*
+				 * Undersized message.
+				 */
+				Dprint(statp->options & RES_DEBUG,
+				       (stdout, ";; undersized: %d\n",
+					resplen));
+				terrno = ISC_R_NOSPACE;
+				badns |= (1 << ns);
+				res_nclose(statp);
+				goto next_ns;
+			}
+			if (hp->id != anhp->id) {
+				/*
+				 * response from old query, ignore it.
+				 * XXX - potential security hazard could
+				 *	 be detected here.
+				 */
+				DprintQ((statp->options & RES_DEBUG) ||
+					(statp->pfcode & RES_PRF_REPLY),
+					(stdout, ";; old answer:\n"),
+					ans, (resplen>anssiz)?anssiz:resplen);
+				goto wait;
+			}
+#ifdef CHECK_SRVR_ADDR
+			if (!(statp->options & RES_INSECURE1) &&
+			    !res_ourserver_p(statp, &from)) {
+				/*
+				 * response from wrong server? ignore it.
+				 * XXX - potential security hazard could
+				 *	 be detected here.
+				 */
+				DprintQ((statp->options & RES_DEBUG) ||
+					(statp->pfcode & RES_PRF_REPLY),
+					(stdout, ";; not our server:\n"),
+					ans, (resplen>anssiz)?anssiz:resplen);
+				goto wait;
+			}
+#endif
+			if (!(statp->options & RES_INSECURE2) &&
+			    !res_queriesmatch((u_char *)buf,
+					      ((u_char *)buf) + buflen,
+					      (u_char *)ans,
+					      ((u_char *)ans) + anssiz)) {
+				/*
+				 * response contains wrong query? ignore it.
+				 * XXX - potential security hazard could
+				 *	 be detected here.
+				 */
+				DprintQ((statp->options & RES_DEBUG) ||
+					(statp->pfcode & RES_PRF_REPLY),
+					(stdout, ";; wrong query name:\n"),
+					ans, (resplen>anssiz)?anssiz:resplen);
+				goto wait;
+			}
+			if (anhp->rcode == SERVFAIL ||
+			    anhp->rcode == NOTIMP ||
+			    anhp->rcode == REFUSED) {
+				DprintQ(statp->options & RES_DEBUG,
+					(stdout, "server rejected query:\n"),
+					ans, (resplen>anssiz)?anssiz:resplen);
+				badns |= (1 << ns);
+				res_nclose(statp);
+				/* don't retry if called from dig */
+				if (!statp->pfcode)
+					goto next_ns;
+			}
+			if (!(statp->options & RES_IGNTC) && anhp->tc) {
+				/*
+				 * get rest of answer;
+				 * use TCP with same server.
+				 */
+				Dprint(statp->options & RES_DEBUG,
+				       (stdout, ";; truncated answer\n"));
+				v_circuit = 1;
+				res_nclose(statp);
+				goto same_ns;
+			}
+		} /*if vc/dg*/
+		Dprint((statp->options & RES_DEBUG) ||
+		       ((statp->pfcode & RES_PRF_REPLY) &&
+			(statp->pfcode & RES_PRF_HEAD1)),
+		       (stdout, ";; got answer:\n"));
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, ""),
+			ans, (resplen>anssiz)?anssiz:resplen);
+		/*
+		 * If using virtual circuits, we assume that the first server
+		 * is preferred over the rest (i.e. it is on the local
+		 * machine) and only keep that one open.
+		 * If we have temporarily opened a virtual circuit,
+		 * or if we haven't been asked to keep a socket open,
+		 * close the socket.
+		 */
+		if ((v_circuit && (!(statp->options & RES_USEVC) || ns != 0)) ||
+		    !(statp->options & RES_STAYOPEN)) {
+			res_nclose(statp);
+		}
+		if (statp->rhook) {
+			int done = 0, loops = 0;
+
+			do {
+				res_sendhookact act;
+
+				act = (*statp->rhook)(nsap, buf, buflen,
+						      ans, anssiz, &resplen);
+				switch (act) {
+				case res_goahead:
+				case res_done:
+					done = 1;
+					break;
+				case res_nextns:
+					res_nclose(statp);
+					goto next_ns;
+				case res_modified:
+					/* give the hook another try */
+					if (++loops < 42) /*doug adams*/
+						break;
+					/*FALLTHROUGH*/
+				case res_error:
+					/*FALLTHROUGH*/
+				default:
+					return ISC_R_UNEXPECTED;
+				}
+			} while (!done);
+
+		}
+		*ansret = resplen;
+		return ISC_R_SUCCESS;
+ next_ns: ;
+	   } /*foreach ns*/
+	} /*foreach retry*/
+	res_nclose(statp);
+	if (!v_circuit) {
+		if (!gotsomewhere)
+			terrno = ISC_R_CONNREFUSED;  /* no nameservers found */
+		else
+			errno = ISC_R_TIMEDOUT;	/* no answer obtained */
+	}
+	return terrno;
+}
+
+/*
+ * This routine is for closing the socket if a virtual circuit is used and
+ * the program wants to close it.  This provides support for endhostent()
+ * which expects to close the socket.
+ *
+ * This routine is not expected to be user visible.
+ */
+void
+res_nclose(res_state statp) {
+	if (statp->_sock >= 0) {
+		(void) close(statp->_sock);
+		statp->_sock = -1;
+		statp->_flags &= ~(RES_F_VC | RES_F_CONN);
+	}
+}
+
+/* Private */
+static int
+cmpsock(struct sockaddr_in *a1, struct sockaddr_in *a2) {
+	return ((a1->sin_family == a2->sin_family) &&
+		(a1->sin_port == a2->sin_port) &&
+		(a1->sin_addr.s_addr == a2->sin_addr.s_addr));
+}
+
+#ifdef NEED_PSELECT
+/* XXX needs to move to the porting library. */
+static int
+pselect(int nfds, void *rfds, void *wfds, void *efds,
+	struct timespec *tsp,
+	const sigset_t *sigmask)
+{
+	struct timeval tv, *tvp;
+	sigset_t sigs;
+	int n;
+
+	if (tsp) {
+		tvp = &tv;
+		tv = evTimeVal(*tsp);
+	} else
+		tvp = NULL;
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, sigmask, &sigs);
+	n = select(nfds, rfds, wfds, efds, tvp);
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, &sigs, NULL);
+	if (tsp)
+		*tsp = evTimeSpec(tv);
+	return (n);
+}
+#endif
diff --git a/contrib/isc-dhcp/minires/res_sendsigned.c b/contrib/isc-dhcp/minires/res_sendsigned.c
new file mode 100644
index 0000000..be213af
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_sendsigned.c
@@ -0,0 +1,116 @@
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+#include <isc-dhcp/dst.h>
+
+/* res_nsendsigned */
+isc_result_t
+res_nsendsigned(res_state statp,
+		double *msg, unsigned msglen, ns_tsig_key *key,
+		double *answer, unsigned anslen, unsigned *anssize)
+{
+	res_state nstatp;
+	DST_KEY *dstkey;
+	int usingTCP = 0;
+	double *newmsg;
+	unsigned newmsglen;
+	unsigned bufsize, siglen;
+	u_char sig[64];
+	HEADER *hp;
+	time_t tsig_time;
+	unsigned ret;
+	isc_result_t rcode;
+
+	dst_init();
+
+	nstatp = (res_state) malloc(sizeof(*statp));
+	if (nstatp == NULL)
+		return ISC_R_NOMEMORY;
+	memcpy(nstatp, statp, sizeof(*statp));
+
+	bufsize = msglen + 1024;
+	newmsg = (double *) malloc(bufsize);
+	if (newmsg == NULL)
+		return ISC_R_NOMEMORY;
+	memcpy(newmsg, msg, msglen);
+	newmsglen = msglen;
+
+	if (ns_samename(key->alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		dstkey = NULL;
+	else
+		dstkey = dst_buffer_to_key(key->name, KEY_HMAC_MD5,
+					   NS_KEY_TYPE_AUTH_ONLY,
+					   NS_KEY_PROT_ANY,
+					   key->data, key->len);
+	if (dstkey == NULL) {
+		free(nstatp);
+		free(newmsg);
+		return ISC_R_BADKEY;
+	}
+
+	nstatp->nscount = 1;
+	siglen = sizeof(sig);
+	rcode = ns_sign((u_char *)newmsg, &newmsglen, bufsize,
+			NOERROR, dstkey, NULL, 0,
+			sig, &siglen, 0);
+	if (rcode != ISC_R_SUCCESS) {
+		free (nstatp);
+		free (newmsg);
+		return rcode;
+	}
+
+	if (newmsglen > PACKETSZ || (nstatp->options & RES_IGNTC))
+		usingTCP = 1;
+	if (usingTCP == 0)
+		nstatp->options |= RES_IGNTC;
+	else
+		nstatp->options |= RES_USEVC;
+
+retry:
+
+	rcode = res_nsend(nstatp, newmsg, newmsglen, answer, anslen, &ret);
+	if (rcode != ISC_R_SUCCESS) {
+		free (nstatp);
+		free (newmsg);
+		return rcode;
+	}
+
+	anslen = ret;
+	rcode = ns_verify((u_char *)answer, &anslen, dstkey, sig, siglen,
+			  NULL, NULL, &tsig_time,
+			  (nstatp->options & RES_KEEPTSIG) ? 1 : 0);
+	if (rcode != ISC_R_SUCCESS) {
+		Dprint(nstatp->pfcode & RES_PRF_REPLY,
+		       (stdout, ";; TSIG invalid (%s)\n", p_rcode(ret)));
+		free (nstatp);
+		free (newmsg);
+		return rcode;
+	}
+	Dprint(nstatp->pfcode & RES_PRF_REPLY, (stdout, ";; TSIG ok\n"));
+
+	hp = (HEADER *) answer;
+	if (hp->tc && usingTCP == 0) {
+		nstatp->options &= ~RES_IGNTC;
+		usingTCP = 1;
+		goto retry;
+	}
+
+	free (nstatp);
+	free (newmsg);
+	*anssize = anslen;
+	return ISC_R_SUCCESS;
+}
diff --git a/contrib/isc-dhcp/minires/res_update.c b/contrib/isc-dhcp/minires/res_update.c
new file mode 100644
index 0000000..5fda1a6
--- /dev/null
+++ b/contrib/isc-dhcp/minires/res_update.c
@@ -0,0 +1,219 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_update.c,v 1.11.2.2 2001/06/08 23:12:45 mellon Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Based on the Dynamic DNS reference implementation by Viraj Bais
+ * <viraj_bais@ccm.fm.intel.com>
+ */
+
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc-dhcp/list.h>
+#include "minires/minires.h"
+#include "arpa/nameser.h"
+
+/*
+ * Separate a linked list of records into groups so that all records
+ * in a group will belong to a single zone on the nameserver.
+ * Create a dynamic update packet for each zone and send it to the
+ * nameservers for that zone, and await answer.
+ * Abort if error occurs in updating any zone.
+ * Return the number of zones updated on success, < 0 on error.
+ *
+ * On error, caller must deal with the unsynchronized zones
+ * eg. an A record might have been successfully added to the forward
+ * zone but the corresponding PTR record would be missing if error
+ * was encountered while updating the reverse zone.
+ */
+
+struct zonegrp {
+	char z_origin[MAXDNAME];
+	ns_class z_class;
+	struct in_addr z_nsaddrs[MAXNS];
+	int z_nscount;
+	int z_flags;
+	ISC_LIST(ns_updrec) z_rrlist;
+	ISC_LINK(struct zonegrp) z_link;
+};
+
+#define ZG_F_ZONESECTADDED	0x0001
+
+/* Forward. */
+
+static int	nscopy(struct sockaddr_in *, const struct sockaddr_in *, int);
+static int	nsprom(struct sockaddr_in *, const struct in_addr *, int);
+
+void tkey_free (ns_tsig_key **);
+
+isc_result_t
+res_nupdate(res_state statp, ns_updrec *rrecp_in) {
+	ns_updrec *rrecp;
+	double answer[PACKETSZ / sizeof (double)];
+	double packet[2*PACKETSZ / sizeof (double)];
+	struct zonegrp *zptr, tgrp;
+	int nzones = 0, nscount = 0;
+	unsigned n;
+	unsigned rval;
+	struct sockaddr_in nsaddrs[MAXNS];
+	ns_tsig_key *key;
+	void *zcookie = 0;
+	void *zcookp = &zcookie;
+	isc_result_t rcode;
+
+      again:
+	/* Make sure all the updates are in the same zone, and find out
+	   what zone they are in. */
+	zptr = NULL;
+	for (rrecp = rrecp_in; rrecp; rrecp = ISC_LIST_NEXT(rrecp, r_link)) {
+		/* Find the origin for it if there is one. */
+		tgrp.z_class = rrecp->r_class;
+		rcode = res_findzonecut(statp, rrecp->r_dname, tgrp.z_class,
+					RES_EXHAUSTIVE,
+					tgrp.z_origin,
+					sizeof tgrp.z_origin,
+					tgrp.z_nsaddrs, MAXNS, &tgrp.z_nscount,
+					zcookp);
+		if (rcode != ISC_R_SUCCESS)
+			goto done;
+		if (tgrp.z_nscount <= 0) {
+			rcode = ISC_R_NOTZONE;
+			goto done;
+		}
+		/* Make a group for it if there isn't one. */
+		if (zptr == NULL) {
+			zptr = malloc(sizeof *zptr);
+			if (zptr == NULL) {
+				rcode = ISC_R_NOMEMORY;
+				goto done;
+			}
+			*zptr = tgrp;
+			zptr->z_flags = 0;
+			ISC_LIST_INIT(zptr->z_rrlist);
+		} else if (ns_samename(tgrp.z_origin, zptr->z_origin) == 0 ||
+			   tgrp.z_class != zptr->z_class) {
+			/* Some of the records are in different zones. */
+			rcode = ISC_R_CROSSZONE;
+			goto done;
+		}
+		/* Thread this rrecp onto the zone group. */
+		ISC_LIST_APPEND(zptr->z_rrlist, rrecp, r_glink);
+	}
+
+	/* Construct zone section and prepend it. */
+	rrecp = res_mkupdrec(ns_s_zn, zptr->z_origin,
+			     zptr->z_class, ns_t_soa, 0);
+	if (rrecp == NULL) {
+		rcode = ISC_R_UNEXPECTED;
+		goto done;
+	}
+	ISC_LIST_PREPEND(zptr->z_rrlist, rrecp, r_glink);
+	zptr->z_flags |= ZG_F_ZONESECTADDED;
+
+	/* Marshall the update message. */
+	n = sizeof packet;
+	rcode = res_nmkupdate(statp,
+			      ISC_LIST_HEAD(zptr->z_rrlist), packet, &n);
+	if (rcode != ISC_R_SUCCESS)
+		goto done;
+
+	/* Temporarily replace the resolver's nameserver set. */
+	nscount = nscopy(nsaddrs, statp->nsaddr_list, statp->nscount);
+	statp->nscount = nsprom(statp->nsaddr_list,
+				zptr->z_nsaddrs, zptr->z_nscount);
+
+	/* Send the update and remember the result. */
+	key = (ns_tsig_key *)0;
+	rcode = find_tsig_key (&key, zptr->z_origin, zcookie);
+	if (rcode == ISC_R_SUCCESS) {
+		rcode = res_nsendsigned(statp, packet, n, key,
+					answer, sizeof answer, &rval);
+		tkey_free (&key);
+	} else if (rcode == ISC_R_NOTFOUND || rcode == ISC_R_KEY_UNKNOWN) {
+		rcode = res_nsend(statp, packet, n,
+				  answer, sizeof answer, &rval);
+	}
+	if (rcode != ISC_R_SUCCESS)
+		goto undone;
+
+	rcode = ns_rcode_to_isc (((HEADER *)answer)->rcode);
+	if (zcookie && rcode == ISC_R_BADSIG) {
+		repudiate_zone (&zcookie);
+	}
+
+ undone:
+	/* Restore resolver's nameserver set. */
+	statp->nscount = nscopy(statp->nsaddr_list, nsaddrs, nscount);
+	nscount = 0;
+ done:
+	if (zptr) {
+		if ((zptr->z_flags & ZG_F_ZONESECTADDED) != 0)
+			res_freeupdrec(ISC_LIST_HEAD(zptr->z_rrlist));
+		free(zptr);
+	}
+
+	/* If the update failed because we used a cached zone and it
+	   didn't work, try it again without the cached zone. */
+	if (zcookp && (rcode == ISC_R_NOTZONE || rcode == ISC_R_BADSIG)) {
+		zcookp = 0;
+		goto again;
+	}
+
+	if (zcookie)
+		forget_zone (&zcookie);
+	return rcode;
+}
+
+/* Private. */
+
+static int
+nscopy(struct sockaddr_in *dst, const struct sockaddr_in *src, int n) {
+	int i;
+
+	for (i = 0; i < n; i++)
+		dst[i] = src[i];
+	return (n);
+}
+
+static int
+nsprom(struct sockaddr_in *dst, const struct in_addr *src, int n) {
+	int i;
+
+	for (i = 0; i < n; i++) {
+		memset(&dst[i], 0, sizeof dst[i]);
+		dst[i].sin_family = AF_INET;
+		dst[i].sin_port = htons(NS_DEFAULTPORT);
+		dst[i].sin_addr = src[i];
+	}
+	return (n);
+}