1 files changed, 36 insertions, 11 deletions

diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h
index 69a1141..5f2afb8 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -46,7 +46,16 @@ typedef struct dns_rdata_nsec3 {
 #define DNS_NSEC3FLAG_OPTOUT 0x01U
 
 /*%
- * Non-standard, NSEC3PARAM only.
+ * The following flags are used in the private-type record (implemented in
+ * lib/dns/private.c) which is used to store NSEC3PARAM data during the
+ * time when it is not legal to have an actual NSEC3PARAM record in the
+ * zone.  They are defined here because the private-type record uses the
+ * same flags field for the OPTOUT flag above and for the private flags
+ * below.  XXX: This should be considered for refactoring.
+ */
+
+/*%
+ * Non-standard, private type only.
  *
  * Create a corresponding NSEC3 chain.
  * Once the NSEC3 chain is complete this flag will be removed to signal
@@ -55,13 +64,14 @@ typedef struct dns_rdata_nsec3 {
  * This flag is automatically set when a NSEC3PARAM record is added to
  * the zone via UPDATE.
  *
- * NSEC3PARAM records with this flag set are supposed to be ignored by
- * RFC 5155 compliant nameservers.
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
  */
 #define DNS_NSEC3FLAG_CREATE 0x80U
 
 /*%
- * Non-standard, NSEC3PARAM only.
+ * Non-standard, private type only.
  *
  * The corresponding NSEC3 set is to be removed once the NSEC chain
  * has been generated.
@@ -69,24 +79,39 @@ typedef struct dns_rdata_nsec3 {
  * This flag is automatically set when the last active NSEC3PARAM record
  * is removed from the zone via UPDATE.
  *
- * NSEC3PARAM records with this flag set are supposed to be ignored by
- * RFC 5155 compliant nameservers.
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
  */
 #define DNS_NSEC3FLAG_REMOVE 0x40U
 
 /*%
- * Non-standard, NSEC3PARAM only.
+ * Non-standard, private type only.
  *
- * Used to identify NSEC3PARAM records added in this UPDATE request.
+ * When set with the CREATE flag, a corresponding NSEC3 chain will be
+ * created when the zone becomes capable of supporting one (i.e., when it
+ * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
+ * Without this flag, NSEC3 chain creation would be attempted immediately,
+ * fail, and the private type record would be removed.  With it, the NSEC3
+ * parameters are stored until they can be used.  When the zone has the
+ * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
+ * and the record will be cleaned up normally.
+ *
+ * NSEC3PARAM records containing this flag should never be published, but
+ * if they are, they should be ignored by RFC 5155 compliant nameservers.
  */
-#define DNS_NSEC3FLAG_UPDATE 0x20U
+#define DNS_NSEC3FLAG_INITIAL 0x20U
 
 /*%
- * Non-standard, NSEC3PARAM only.
+ * Non-standard, private type only.
  *
  * Prevent the creation of a NSEC chain before the last NSEC3 chain
  * is removed.  This will normally only be set when the zone is
  * transitioning from secure with NSEC3 chains to insecure.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
  */
 #define DNS_NSEC3FLAG_NONSEC 0x10U