Pull up following revision(s) (requested by spz in ticket #1404): netbsd-7
authorsnj <snj@NetBSD.org>
Fri, 21 Apr 2017 05:23:16 +0000
branchnetbsd-7
changeset 255169 100f91761a81
parent 255168 9daf5e8999cd
child 255170 60db82f47f26
Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8.
doc/3RDPARTY
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/COPYRIGHT
external/bsd/bind/dist/README
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl
external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db
external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db
external/bsd/bind/dist/bin/tests/system/dname/tests.sh
external/bsd/bind/dist/bin/tests/system/rndc/tests.sh
external/bsd/bind/dist/bin/tests/system/rpz/tests.sh
external/bsd/bind/dist/bind.keys
external/bsd/bind/dist/bind.keys.h
external/bsd/bind/dist/configure
external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.delv.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.lwresd.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
external/bsd/bind/dist/doc/arm/man.named.conf.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/doc/arm/notes.html
external/bsd/bind/dist/doc/arm/notes.pdf
external/bsd/bind/dist/doc/arm/notes.xml
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/rdataset.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/isc/include/isc/lex.h
external/bsd/bind/dist/lib/isc/lex.c
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
--- a/doc/3RDPARTY	Thu Apr 20 07:07:28 2017 +0000
+++ b/doc/3RDPARTY	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: 3RDPARTY,v 1.1145.2.39 2017/04/20 06:47:28 snj Exp $
+#	$NetBSD: 3RDPARTY,v 1.1145.2.40 2017/04/21 05:23:16 snj Exp $
 #
 # This file contains a list of the software that has been integrated into
 # NetBSD where we are not the primary maintainer.
@@ -113,8 +113,8 @@
 bc includes dc, both of which are in the NetBSD tree.
 
 Package:	bind [named and utils]
-Version:	9.10.4-P6
-Current Vers:	9.10.4-P6
+Version:	9.10.4-P8
+Current Vers:	9.10.4-P8
 Maintainer:	Paul Vixie <vixie@vix.com>
 Archive Site:	ftp://ftp.isc.org/isc/bind9/
 Home Page:	http://www.isc.org/software/bind/
--- a/external/bsd/bind/dist/CHANGES	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/CHANGES	Fri Apr 21 05:23:16 2017 +0000
@@ -1,7 +1,27 @@
+	--- 9.10.4-P8 released ---
+
+4582.	[security]	'rndc ""' could trigger a assertion failure in named.
+			(CVE-2017-3138) [RT #44924]
+
+4580.	[bug]		4578 introduced a regression when handling CNAME to
+			referral below the current domain. [RT #44850]
+
+	--- 9.10.4-P7 released ---
+
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
+4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
+			assertion failure. (CVE-2017-3136) [RT #44653]
+
+4564.	[maint]		Update the built in managed keys to include the
+			upcoming root KSK. [RT #44579]
+
 	--- 9.10.4-P6 released ---
 
 4558.	[bug]		Synthesised CNAME before matching DNAME was still
-			being cached when it should have been.  [RT #44318]
+			being cached when it should not have been. [RT #44318]
 
 4557.	[security]	Combining dns64 and rpz can result in dereferencing
 			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
--- a/external/bsd/bind/dist/COPYRIGHT	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/COPYRIGHT	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/README	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/README	Fri Apr 21 05:23:16 2017 +0000
@@ -51,6 +51,11 @@
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.10.4-P7
+
+	This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+	and updates the built in trusted keys for the root zone.
+
 BIND 9.10.4-P6
 
 	This version contains a fix for CVE-2017-3135, and a bug fix
--- a/external/bsd/bind/dist/bin/named/query.c	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Fri Apr 21 05:23:16 2017 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: query.c,v 1.16.2.6 2017/02/20 15:48:20 sborrill Exp $	*/
+/*	$NetBSD: query.c,v 1.16.2.7 2017/04/21 05:23:17 snj Exp $	*/
 
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -8221,6 +8221,7 @@
 			result = query_dns64(client, &fname, rdataset,
 					     sigrdataset, dbuf,
 					     DNS_SECTION_ANSWER);
+			noqname = NULL;
 			dns_rdataset_disassociate(rdataset);
 			dns_message_puttemprdataset(client->message, &rdataset);
 			if (result == ISC_R_NOMORE) {
--- a/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl	Fri Apr 21 05:23:16 2017 +0000
@@ -1,10 +1,18 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
 #
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
 
 use strict;
 use warnings;
--- a/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011, 2017  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
--- a/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011, 2017  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -29,6 +29,7 @@
 short-dname		DNAME	short
 a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
 long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
+toolong-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
 cname			CNAME	a.cnamedname
 cnamedname		DNAME	target
 a.target		A	10.0.0.3
--- a/external/bsd/bind/dist/bin/tests/system/dname/tests.sh	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/dname/tests.sh	Fri Apr 21 05:23:16 2017 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012, 2017  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -57,10 +57,19 @@
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking (too) long dname from recursive"
+echo "I:checking (too) long dname from recursive with cached DNAME"
+ret=0 
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking (too) long dname from recursive without cached DNAME"
 ret=0
-$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
--- a/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh	Fri Apr 21 05:23:16 2017 +0000
@@ -393,5 +393,13 @@
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check 'rndc \"\"' is handled ($n)"
+ret=0
+$RNDCCMD "" > rndc.out.test$n 2>&1 && ret=1
+grep "rndc: '' failed: failure" rndc.out.test$n > /dev/null
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
--- a/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2011-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2017  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -383,7 +383,7 @@
 drop a3-8.tld2 any @$ns6                   # 20 drop
 
 end_group
-ckstatsrange $ns3 test1 ns3 22 25
+ckstatsrange $ns3 test1 ns3 22 28
 ckstats $ns5 test1 ns5 0
 ckstats $ns6 test1 ns6 0
 
--- a/external/bsd/bind/dist/bind.keys	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bind.keys	Fri Apr 21 05:23:16 2017 +0000
@@ -15,32 +15,55 @@
 #
 # This file is NOT expected to be user-configured.
 #
-# These keys are current as of January 2011.  If any key fails to
+# These keys are current as of Feburary 2017.  If any key fails to
 # initialize correctly, it may have expired.  In that event you should
 # replace this file with a current version.  The latest version of
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
 
 managed-keys {
-	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
-        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
-        # in named.conf.
-	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
-		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
-		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
-		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
-		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
-		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
-		TDN0YUuWrBNh";
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        #
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;
+        # the key will remain in place but the zone will be otherwise empty.
+        # Configuring "dnssec-lookaside auto;" to activate this key is
+        # harmless, but is no longer useful and is not recommended.
+        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+                TDN0YUuWrBNh";
 
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
-	# for current trust anchor information.
-        # NOTE: This key is activated by setting "dnssec-validation auto;"
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # These keys are activated by setting "dnssec-validation auto;"
         # in named.conf.
-	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
-		QxA+Uk1ihz0=";
+        #
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+
+        # This key (20326) is to be published in the root zone in 2017.
+        # Servers which were already using the old key should roll to the
+        # new # one seamlessly.  Servers being set up for the first time
+        # can use either of the keys in this file to verify the root keys
+        # for the first time; thereafter the keys in the zone will be
+        # trusted and maintained automatically.
+        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
 };
--- a/external/bsd/bind/dist/bind.keys.h	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/bind.keys.h	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: bind.keys.h,v 1.1.1.1 2014/02/28 17:40:04 christos Exp $	*/
+/*	$NetBSD: bind.keys.h,v 1.1.1.1.6.1 2017/04/21 05:23:16 snj Exp $	*/
 
 /*
  * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp  
@@ -21,34 +21,57 @@
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of January 2011.  If any key fails to\n\
+# These keys are current as of Feburary 2017.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
 \n\
 trusted-keys {\n\
-	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # in named.conf.\n\
-	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-		TDN0YUuWrBNh\";\n\
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        #\n\
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
+        # the key will remain in place but the zone will be otherwise empty.\n\
+        # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
+        # harmless, but is no longer useful and is not recommended.\n\
+        dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+                TDN0YUuWrBNh\";\n\
 \n\
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-	# for current trust anchor information.\n\
-        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+        # for current trust anchor information.\n\
+        #\n\
+        # These keys are activated by setting \"dnssec-validation auto;\"\n\
         # in named.conf.\n\
-	. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-		QxA+Uk1ihz0=\";\n\
+        #\n\
+        # This key (19036) is to be phased out starting in 2017. It will\n\
+        # remain in the root zone for some time after its successor key\n\
+        # has been added. It will remain this file until it is removed from\n\
+        # the root zone.\n\
+        . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+                QxA+Uk1ihz0=\";\n\
+\n\
+        # This key (20326) is to be published in the root zone in 2017.\n\
+        # Servers which were already using the old key should roll to the\n\
+        # new # one seamlessly.  Servers being set up for the first time\n\
+        # can use either of the keys in this file to verify the root keys\n\
+        # for the first time; thereafter the keys in the zone will be\n\
+        # trusted and maintained automatically.\n\
+        . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
+                R1AkUTV74bU=\";\n\
 };\n\
 "
 
@@ -69,33 +92,56 @@
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of January 2011.  If any key fails to\n\
+# These keys are current as of Feburary 2017.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
 \n\
 managed-keys {\n\
-	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # in named.conf.\n\
-	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-		TDN0YUuWrBNh\";\n\
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        #\n\
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
+        # the key will remain in place but the zone will be otherwise empty.\n\
+        # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
+        # harmless, but is no longer useful and is not recommended.\n\
+        dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+                TDN0YUuWrBNh\";\n\
 \n\
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-	# for current trust anchor information.\n\
-        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+        # for current trust anchor information.\n\
+        #\n\
+        # These keys are activated by setting \"dnssec-validation auto;\"\n\
         # in named.conf.\n\
-	. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-		QxA+Uk1ihz0=\";\n\
+        #\n\
+        # This key (19036) is to be phased out starting in 2017. It will\n\
+        # remain in the root zone for some time after its successor key\n\
+        # has been added. It will remain this file until it is removed from\n\
+        # the root zone.\n\
+        . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+                QxA+Uk1ihz0=\";\n\
+\n\
+        # This key (20326) is to be published in the root zone in 2017.\n\
+        # Servers which were already using the old key should roll to the\n\
+        # new # one seamlessly.  Servers being set up for the first time\n\
+        # can use either of the keys in this file to verify the root keys\n\
+        # for the first time; thereafter the keys in the zone will be\n\
+        # trusted and maintained automatically.\n\
+        . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
+                R1AkUTV74bU=\";\n\
 };\n\
 "
--- a/external/bsd/bind/dist/configure	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/configure	Fri Apr 21 05:23:16 2017 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1996-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html	Fri Apr 21 05:23:16 2017 +0000
@@ -555,6 +555,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html	Fri Apr 21 05:23:16 2017 +0000
@@ -153,6 +153,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html	Fri Apr 21 05:23:16 2017 +0000
@@ -669,6 +669,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html	Fri Apr 21 05:23:16 2017 +0000
@@ -2326,6 +2326,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html	Fri Apr 21 05:23:16 2017 +0000
@@ -138,6 +138,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html	Fri Apr 21 05:23:16 2017 +0000
@@ -12845,6 +12845,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html	Fri Apr 21 05:23:16 2017 +0000
@@ -248,6 +248,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html	Fri Apr 21 05:23:16 2017 +0000
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html	Fri Apr 21 05:23:16 2017 +0000
@@ -44,10 +44,11 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -60,7 +61,7 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -68,6 +69,11 @@
       This document summarizes changes since BIND 9.10.4:
     </p>
 <p>
+      BIND 9.10.4-P7 addresses the security issue described in
+      CVE-2017-3136, and updates the built in trusted keys for
+      the root zone.
+    </p>
+<p>
       BIND 9.10.4-P6 addresses the security issue described in
       CVE-2017-3135, and fixes a regression introduced in a prior
       security release.
@@ -109,9 +115,52 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+<p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+<p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
+	  'rndc ""' could trigger a assertion failure in named. This flaw
+	  is disclosed in (CVE-2017-3138). [RT #44924]
+	</p></li>
+<li class="listitem"><p>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</p></li>
+<li class="listitem"><p>
+	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
+	  can result in an assertion failure. This flaw is disclosed in
+	  CVE-2017-3136. [RT #44653]
+	</p></li>
+<li class="listitem"><p>
 	  If a server is configured with a response policy zone (RPZ)
 	  that rewrites an answer with local data, and is also configured
 	  for DNS64 address mapping, a NULL pointer can be read
@@ -245,6 +294,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html	Fri Apr 21 05:23:16 2017 +0000
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html	Fri Apr 21 05:23:16 2017 +0000
@@ -497,6 +497,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html	Fri Apr 21 05:23:16 2017 +0000
@@ -543,6 +543,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html	Fri Apr 21 05:23:16 2017 +0000
@@ -154,6 +154,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.html	Fri Apr 21 05:23:16 2017 +0000
@@ -40,7 +40,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.4-P6</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.4-P8</p></div>
 <div><p class="copyright">Copyright  2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright  2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -239,10 +239,11 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -385,6 +386,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
Binary file external/bsd/bind/dist/doc/arm/Bv9ARM.pdf has changed
--- a/external/bsd/bind/dist/doc/arm/man.arpaname.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.arpaname.html	Fri Apr 21 05:23:16 2017 +0000
@@ -81,6 +81,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html	Fri Apr 21 05:23:16 2017 +0000
@@ -185,6 +185,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.delv.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.delv.html	Fri Apr 21 05:23:16 2017 +0000
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dig.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dig.html	Fri Apr 21 05:23:16 2017 +0000
@@ -809,6 +809,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html	Fri Apr 21 05:23:16 2017 +0000
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html	Fri Apr 21 05:23:16 2017 +0000
@@ -219,6 +219,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html	Fri Apr 21 05:23:16 2017 +0000
@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html	Fri Apr 21 05:23:16 2017 +0000
@@ -177,6 +177,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html	Fri Apr 21 05:23:16 2017 +0000
@@ -381,6 +381,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html	Fri Apr 21 05:23:16 2017 +0000
@@ -455,6 +455,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html	Fri Apr 21 05:23:16 2017 +0000
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html	Fri Apr 21 05:23:16 2017 +0000
@@ -264,6 +264,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html	Fri Apr 21 05:23:16 2017 +0000
@@ -564,6 +564,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html	Fri Apr 21 05:23:16 2017 +0000
@@ -164,6 +164,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.genrandom.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.genrandom.html	Fri Apr 21 05:23:16 2017 +0000
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.host.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.host.html	Fri Apr 21 05:23:16 2017 +0000
@@ -247,6 +247,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html	Fri Apr 21 05:23:16 2017 +0000
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.lwresd.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.lwresd.html	Fri Apr 21 05:23:16 2017 +0000
@@ -253,6 +253,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-checkconf.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-checkconf.html	Fri Apr 21 05:23:16 2017 +0000
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-checkzone.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-checkzone.html	Fri Apr 21 05:23:16 2017 +0000
@@ -338,6 +338,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-journalprint.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-journalprint.html	Fri Apr 21 05:23:16 2017 +0000
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html	Fri Apr 21 05:23:16 2017 +0000
@@ -104,6 +104,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named.conf.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named.conf.html	Fri Apr 21 05:23:16 2017 +0000
@@ -676,6 +676,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named.html	Fri Apr 21 05:23:16 2017 +0000
@@ -369,6 +369,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.nsec3hash.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.nsec3hash.html	Fri Apr 21 05:23:16 2017 +0000
@@ -103,6 +103,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.nsupdate.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.nsupdate.html	Fri Apr 21 05:23:16 2017 +0000
@@ -663,6 +663,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html	Fri Apr 21 05:23:16 2017 +0000
@@ -223,6 +223,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc.conf.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc.conf.html	Fri Apr 21 05:23:16 2017 +0000
@@ -246,6 +246,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc.html	Fri Apr 21 05:23:16 2017 +0000
@@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/notes.html	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/notes.html	Fri Apr 21 05:23:16 2017 +0000
@@ -21,7 +21,7 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -29,6 +29,11 @@
       This document summarizes changes since BIND 9.10.4:
     </p>
 <p>
+      BIND 9.10.4-P7 addresses the security issue described in
+      CVE-2017-3136, and updates the built in trusted keys for
+      the root zone.
+    </p>
+<p>
       BIND 9.10.4-P6 addresses the security issue described in
       CVE-2017-3135, and fixes a regression introduced in a prior
       security release.
@@ -70,9 +75,52 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+<p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+<p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
+	  'rndc ""' could trigger a assertion failure in named. This flaw
+	  is disclosed in (CVE-2017-3138). [RT #44924]
+	</p></li>
+<li class="listitem"><p>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</p></li>
+<li class="listitem"><p>
+	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
+	  can result in an assertion failure. This flaw is disclosed in
+	  CVE-2017-3136. [RT #44653]
+	</p></li>
+<li class="listitem"><p>
 	  If a server is configured with a response policy zone (RPZ)
 	  that rewrites an answer with local data, and is also configured
 	  for DNS64 address mapping, a NULL pointer can be read
Binary file external/bsd/bind/dist/doc/arm/notes.pdf has changed
--- a/external/bsd/bind/dist/doc/arm/notes.xml	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/notes.xml	Fri Apr 21 05:23:16 2017 +0000
@@ -2,7 +2,7 @@
 <!ENTITY mdash "&#8212;">
 <!ENTITY ouml "&#xf6;">]>
 <!--
- - Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -24,6 +24,11 @@
       This document summarizes changes since BIND 9.10.4:
     </para>
     <para>
+      BIND 9.10.4-P7 addresses the security issue described in
+      CVE-2017-3136, and updates the built in trusted keys for
+      the root zone.
+    </para>
+    <para>
       BIND 9.10.4-P6 addresses the security issue described in
       CVE-2017-3135, and fixes a regression introduced in a prior
       security release.
@@ -64,10 +69,59 @@
     </para>
   </section>
 
+  <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
+    <para>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <command>managed-keys</command>
+      statement, or if the pre-configured root key is enabled by using
+      <command>dnssec-validation auto</command>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <command>trusted-keys</command> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <command>trusted-keys</command>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </para>
+    <para>
+      This release includes an updated version of the
+      <filename>bind.keys</filename> file containing the new root
+      key. This file can also be downloaded from
+      <link xmlns:xlink="http://www.w3.org/1999/xlink"
+	xlink:href="https://www.isc.org/bind-keys">
+	https://www.isc.org/bind-keys
+      </link>.
+    </para>
+  </section>
+
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
       <listitem>
 	<para>
+	  'rndc ""' could trigger a assertion failure in named. This flaw
+	  is disclosed in (CVE-2017-3138). [RT #44924]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  <command>dns64</command> with <command>break-dnssec yes;</command>
+	  can result in an assertion failure. This flaw is disclosed in
+	  CVE-2017-3136. [RT #44653]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
 	  If a server is configured with a response policy zone (RPZ)
 	  that rewrites an answer with local data, and is also configured
 	  for DNS64 address mapping, a NULL pointer can be read
--- a/external/bsd/bind/dist/lib/dns/api	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/api	Fri Apr 21 05:23:16 2017 +0000
@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139, 150-159
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 165
-LIBREVISION = 5
+LIBREVISION = 7
 LIBAGE = 0
--- a/external/bsd/bind/dist/lib/dns/rdataset.c	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/rdataset.c	Fri Apr 21 05:23:16 2017 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: rdataset.c,v 1.6.10.2 2017/02/20 15:48:24 sborrill Exp $	*/
+/*	$NetBSD: rdataset.c,v 1.6.10.3 2017/04/21 05:23:21 snj Exp $	*/
 
 /*
- * Copyright (C) 2004-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012, 2014, 2015, 2017  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/lib/dns/resolver.c	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/resolver.c	Fri Apr 21 05:23:16 2017 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: resolver.c,v 1.19.2.8 2017/02/20 15:48:24 sborrill Exp $	*/
+/*	$NetBSD: resolver.c,v 1.19.2.9 2017/04/21 05:23:21 snj Exp $	*/
 
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -4469,6 +4469,7 @@
 	isc_result_t result;
 
 	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_yxdomain &&
 	    message->rcode != dns_rcode_nxdomain)
 		return (ISC_FALSE);
 
@@ -6081,79 +6082,6 @@
 		goto again;
 }
 
-static inline isc_result_t
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_cname_t cname;
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &cname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(tname, NULL);
-	dns_name_clone(&cname.cname, tname);
-	dns_rdata_freestruct(&cname);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Construct the synthesised CNAME from the existing QNAME and
- * the DNAME RR and store it in 'target'.
- */
-static inline isc_result_t
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
-	     unsigned int nlabels, dns_name_t *target)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dname_t dname;
-	dns_fixedname_t prefix;
-
-	/*
-	 * Get the target name of the DNAME.
-	 */
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &dname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_fixedname_init(&prefix);
-	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
-	result = dns_name_concatenate(dns_fixedname_name(&prefix),
-				      &dname.dname, target, NULL);
-	dns_rdata_freestruct(&dname);
-	return (result);
-}
-
-/*%
- * Check if it was possible to construct 'qname' from 'lastcname'
- * and 'rdataset'.
- */
-static inline isc_result_t
-fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
-	  unsigned int nlabels, const dns_name_t *qname)
-{
-	dns_fixedname_t fixed;
-	isc_result_t result;
-	dns_name_t *target;
-
-	dns_fixedname_init(&fixed);
-	target = dns_fixedname_name(&fixed);
-	result = dname_target(rdataset, lastcname, nlabels, target);
-	if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
-		return (ISC_R_NOTFOUND);
-
-	return (ISC_R_SUCCESS);
-}
-
 static isc_boolean_t
 is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 			 dns_rdataset_t *rdataset)
@@ -6229,9 +6157,8 @@
 }
 
 static isc_boolean_t
-is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
-			dns_rdatatype_t type, dns_name_t *tname,
-			dns_name_t *domain)
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+			dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
 {
 	isc_result_t result;
 	dns_rbtnode_t *node = NULL;
@@ -6239,8 +6166,57 @@
 	char tnamebuf[DNS_NAME_FORMATSIZE];
 	char classbuf[64];
 	char typebuf[64];
-
-	/* By default, we allow any target name. */
+	dns_name_t *tname = NULL;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+	dns_view_t *view = fctx->res->view;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	dns_fixedname_t fixed;
+	dns_name_t prefix;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+		rdataset->type == dns_rdatatype_dname);
+
+	/*
+	 * By default, we allow any target name.
+	 * If newqname != NULL we also need to extract the newqname.
+	 */
+	if (chainingp == NULL && view->denyanswernames == NULL)
+		return (ISC_TRUE);
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	switch (rdataset->type) {
+	case dns_rdatatype_cname:
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tname = &cname.cname;
+		break;
+	case dns_rdatatype_dname:
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_name_init(&prefix, NULL);
+		dns_fixedname_init(&fixed);
+		tname = dns_fixedname_name(&fixed);
+		nlabels = dns_name_countlabels(qname) -
+			  dns_name_countlabels(rname);
+		dns_name_split(qname, nlabels, &prefix, NULL);
+		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+					      NULL);
+		if (result == DNS_R_NAMETOOLONG)
+			return (ISC_TRUE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (chainingp != NULL)
+		*chainingp = ISC_TRUE;
+
 	if (view->denyanswernames == NULL)
 		return (ISC_TRUE);
 
@@ -6249,8 +6225,8 @@
 	 * or partially, allow it.
 	 */
 	if (view->answernames_exclude != NULL) {
-		result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
-					  &node, NULL, 0, NULL, NULL);
+		result = dns_rbt_findnode(view->answernames_exclude, qname,
+					  NULL, &node, NULL, 0, NULL, NULL);
 		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 			return (ISC_TRUE);
 	}
@@ -6258,7 +6234,7 @@
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
 	 */
-	if (dns_name_issubdomain(tname, domain))
+	if (dns_name_issubdomain(tname, &fctx->domain))
 		return (ISC_TRUE);
 
 	/*
@@ -6267,9 +6243,9 @@
 	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
 				  NULL, 0, NULL, NULL);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		dns_name_format(name, qnamebuf, sizeof(qnamebuf));
+		dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
 		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
-		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
 		dns_rdataclass_format(view->rdclass, classbuf,
 				      sizeof(classbuf));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
@@ -6765,473 +6741,301 @@
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
+	if (rdataset->type == dns_rdatatype_nsec3) {
+		/*
+		 * NSEC3 records are not allowed to
+		 * appear in the answer section.
+		 */
+		log_formerr(fctx, "NSEC3 in answer");
+		return (ISC_FALSE);
+	}
+	if (rdataset->type == dns_rdatatype_tkey) {
+		/*
+		 * TKEY is not a valid record in a
+		 * response to any query we can make.
+		 */
+		log_formerr(fctx, "TKEY in answer");
+		return (ISC_FALSE);
+	}
+	if (rdataset->rdclass != fctx->res->rdclass) {
+		log_formerr(fctx, "Mismatched class in answer");
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 answer_response(fetchctx_t *fctx) {
 	isc_result_t result;
-	dns_message_t *message;
-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
-	dns_name_t *cname = NULL, *lastcname = NULL;
-	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t done, external, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_dname, found_type;
-	isc_boolean_t wanted_chaining;
-	unsigned int aflag, chaining;
+	dns_message_t *message = NULL;
+	dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
+	dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *ardataset = NULL, *crdataset = NULL;
+	dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL;
+	isc_boolean_t done = ISC_FALSE, aa;
+	unsigned int dname_labels, domain_labels;
+	isc_boolean_t chaining = ISC_FALSE;
 	dns_rdatatype_t type;
-	dns_fixedname_t fdname, fqname;
-	dns_view_t *view;
+	dns_view_t *view = NULL;
+	dns_trust_t trust;
+
+	REQUIRE(VALID_FCTX(fctx));
 
 	FCTXTRACE("answer_response");
 
 	message = fctx->rmessage;
-
-	/*
-	 * Examine the answer section, marking those rdatasets which are
-	 * part of the answer and should be cached.
-	 */
-
-	done = ISC_FALSE;
-	found_cname = ISC_FALSE;
-	found_dname = ISC_FALSE;
-	found_type = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	want_chaining = ISC_FALSE;
-	chaining = 0;
-	POST(want_chaining);
-	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
-		aa = ISC_TRUE;
-	else
-		aa = ISC_FALSE;
 	qname = &fctx->name;
+	view = fctx->res->view;
 	type = fctx->type;
-	view = fctx->res->view;
-	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
-	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln, lastreln;
-		int order, lastorder;
-		unsigned int nlabels, lastnlabels;
+
+	/*
+	 * There can be multiple RRSIG and SIG records at a name so
+	 * we treat these types as a subset of ANY.
+	 */
+	if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
+		type = dns_rdatatype_any;
+	}
+
+	/*
+	 * Bigger than any valid DNAME label count.
+	 */
+	dname_labels = dns_name_countlabels(qname);
+	domain_labels = dns_name_countlabels(&fctx->domain);
+
+	/*
+	 * Perform a single pass looking for the answer, cname or covering
+	 * dname.
+	 */
+	for (result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_ANSWER))
+	{
+		int order;
+		unsigned int nlabels;
+		dns_namereln_t namereln;
 
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-
-		if (namereln == dns_namereln_equal) {
-			wanted_chaining = ISC_FALSE;
+		switch (namereln) {
+		case dns_namereln_equal:
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				found = ISC_FALSE;
-				want_chaining = ISC_FALSE;
-				aflag = 0;
-				if (rdataset->type == dns_rdatatype_nsec3) {
-					/*
-					 * NSEC3 records are not allowed to
-					 * appear in the answer section.
-					 */
-					log_formerr(fctx, "NSEC3 in answer");
-					return (DNS_R_FORMERR);
-				}
-				if (rdataset->type == dns_rdatatype_tkey) {
-					/*
-					 * TKEY is not a valid record in a
-					 * response to any query we can make.
-					 */
-					log_formerr(fctx, "TKEY in answer");
-					return (DNS_R_FORMERR);
-				}
-				if (rdataset->rdclass != fctx->res->rdclass) {
-					log_formerr(fctx, "Mismatched class "
-						    "in answer");
-					return (DNS_R_FORMERR);
-				}
-
-				/*
-				 * Apply filters, if given, on answers to reject
-				 * a malicious attempt of rebinding.
-				 */
-				if ((rdataset->type == dns_rdatatype_a ||
-				     rdataset->type == dns_rdatatype_aaaa) &&
-				    !is_answeraddress_allowed(view, name,
-							      rdataset)) {
-					return (DNS_R_SERVFAIL);
-				}
-
-				if (rdataset->type == type && !found_cname) {
-					/*
-					 * We've found an ordinary answer.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					done = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (type == dns_rdatatype_any) {
-					/*
-					 * We've found an answer matching
-					 * an ANY query.  There may be
-					 * more.
-					 */
-					found = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers == type
-					   && !found_cname) {
-					/*
-					 * We've found a signature that
-					 * covers the type we're looking for.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				} else if (rdataset->type ==
-					   dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a CNAME.
-					 *
-					 * Getting a CNAME response for some
-					 * query types is an error, see
-					 * RFC 4035, Section 2.5.
-					 */
-					if (type == dns_rdatatype_rrsig ||
-					    type == dns_rdatatype_key ||
-					    type == dns_rdatatype_nsec) {
-						char buf[DNS_RDATATYPE_FORMATSIZE];
-						dns_rdatatype_format(fctx->type,
-							      buf, sizeof(buf));
-						log_formerr(fctx,
-							    "CNAME response "
-							    "for %s RR", buf);
-						return (DNS_R_FORMERR);
-					}
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					want_chaining = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-					result = cname_target(rdataset,
-							      &tname);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-					/* Apply filters on the target name. */
-					if (!is_answertarget_allowed(view,
-							name,
-							rdataset->type,
-							&tname,
-							&fctx->domain)) {
-						return (DNS_R_SERVFAIL);
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == type ||
+				    type == dns_rdatatype_any)
+				{
+					aname = name;
+					if (type != dns_rdatatype_any) {
+						ardataset = rdataset;
 					}
-					lastcname = name;
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					      dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a SIG CNAME.
-					 */
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
+					break;
+				}
+				if (rdataset->type == dns_rdatatype_cname) {
+					cname = name;
+					crdataset = rdataset;
+					break;
 				}
-
-				if (found) {
-					/*
-					 * We've found an answer to our
-					 * question.
-					 */
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
-						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
-						 */
-						INSIST(!external);
-						/*
-						 * Don't use found_cname here
-						 * as we have just set it
-						 * above.
-						 */
-						if (cname == NULL &&
-						    !found_dname &&
-						    aflag ==
-						     DNS_RDATASETATTR_ANSWER)
-						{
-							have_answer = ISC_TRUE;
-							if (found_cname &&
-							    cname == NULL)
-								cname = name;
-							name->attributes |=
-							    DNS_NAMEATTR_ANSWER;
-						}
-						rdataset->attributes |= aflag;
-						if (aa)
-							rdataset->trust =
-							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
-					}
-
-					/*
-					 * Mark any additional data related
-					 * to this rdataset.
-					 */
-					(void)dns_rdataset_additionaldata(
-							rdataset,
-							check_related,
-							fctx);
-
-					/*
-					 * CNAME chaining.
-					 */
-					if (want_chaining) {
-						wanted_chaining = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_CHAINING;
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_CHAINING;
-						qname = &tname;
-					}
-				}
-				/*
-				 * We could add an "else" clause here and
-				 * log that we're ignoring this rdataset.
-				 */
 			}
+			break;
+
+		case dns_namereln_subdomain:
 			/*
-			 * If wanted_chaining is true, we've done
-			 * some chaining as the result of processing
-			 * this node, and thus we need to set
-			 * chaining to true.
-			 *
-			 * We don't set chaining inside of the
-			 * rdataset loop because doing that would
-			 * cause us to ignore the signatures of
-			 * CNAMEs.
+			 * In-scope DNAME records must have at least
+			 * as many labels as the domain being queried.
+			 * They also must be less that qname's labels
+			 * and any previously found dname.
 			 */
-			if (wanted_chaining && chaining < 2U)
-				chaining++;
-		} else {
-			dns_rdataset_t *dnameset = NULL;
-			isc_boolean_t synthcname = ISC_FALSE;
-
-			if (lastcname != NULL) {
-				lastreln = dns_name_fullcompare(lastcname,
-								name,
-								&lastorder,
-								&lastnlabels);
-				if (lastreln == dns_namereln_subdomain &&
-				    lastnlabels == dns_name_countlabels(name))
-					synthcname = ISC_TRUE;
+			if (nlabels >= dname_labels || nlabels < domain_labels)
+			{
+				continue;
 			}
 
 			/*
-			 * Look for a DNAME (or its SIG).  Anything else is
-			 * ignored.
+			 * We are looking for the shortest DNAME if there
+			 * are multiple ones (which there shouldn't be).
 			 */
-			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
 			{
-				if (rdataset->rdclass != fctx->res->rdclass) {
-					log_formerr(fctx, "Mismatched class "
-						    "in answer");
-					return (DNS_R_FORMERR);
-				}
-
-				/*
-				 * Only pass DNAME or RRSIG(DNAME).
-				 */
-				if (rdataset->type != dns_rdatatype_dname &&
-				    (rdataset->type != dns_rdatatype_rrsig ||
-				     rdataset->covers != dns_rdatatype_dname))
+				if (rdataset->type != dns_rdatatype_dname) {
 					continue;
-
-				/*
-				 * If we're not chaining, then the DNAME and
-				 * its signature should not be external.
-				 */
-				if (chaining == 0 && external) {
-					char qbuf[DNS_NAME_FORMATSIZE];
-					char obuf[DNS_NAME_FORMATSIZE];
-
-					dns_name_format(name, qbuf,
-							sizeof(qbuf));
-					dns_name_format(&fctx->domain, obuf,
-							sizeof(obuf));
-					log_formerr(fctx, "external DNAME or "
-						    "RRSIG covering DNAME "
-						    "in answer: %s is "
-						    "not in %s", qbuf, obuf);
-					return (DNS_R_FORMERR);
-				}
-
-				/*
-				 * If DNAME + synthetic CNAME then the
-				 * namereln is dns_namereln_subdomain.
-				 */
-				if (namereln != dns_namereln_subdomain &&
-				    !synthcname)
-				{
-					char qbuf[DNS_NAME_FORMATSIZE];
-					char obuf[DNS_NAME_FORMATSIZE];
-
-					dns_name_format(qname, qbuf,
-							sizeof(qbuf));
-					dns_name_format(name, obuf,
-							sizeof(obuf));
-					log_formerr(fctx, "unrelated DNAME "
-						    "in answer: %s is "
-						    "not in %s", qbuf, obuf);
-					return (DNS_R_FORMERR);
 				}
-
-				aflag = 0;
-				if (rdataset->type == dns_rdatatype_dname) {
-					want_chaining = ISC_TRUE;
-					POST(want_chaining);
-					aflag = DNS_RDATASETATTR_ANSWER;
-					dns_fixedname_init(&fdname);
-					dname = dns_fixedname_name(&fdname);
-					if (synthcname) {
-						result = fromdname(rdataset,
-								   lastcname,
-								   lastnlabels,
-								   qname);
-					} else {
-						result = dname_target(rdataset,
-								      qname,
-								      nlabels,
-								      dname);
-					}
-					if (result == ISC_R_NOSPACE) {
-						/*
-						 * We can't construct the
-						 * DNAME target.  Do not
-						 * try to continue.
-						 */
-						want_chaining = ISC_FALSE;
-						POST(want_chaining);
-					} else if (result != ISC_R_SUCCESS)
-						return (result);
-					else
-						dnameset = rdataset;
-
-					if (!synthcname &&
-					    !is_answertarget_allowed(view,
-						     qname, rdataset->type,
-						     dname, &fctx->domain))
-					{
-						return (DNS_R_SERVFAIL);
-					}
-				} else {
-					/*
-					 * We've found a signature that
-					 * covers the DNAME.
-					 */
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				}
-
-				/*
-				 * We've found an answer to our
-				 * question.
-				 */
-				name->attributes |= DNS_NAMEATTR_CACHE;
-				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-				rdataset->trust = dns_trust_answer;
-				/*
-				 * If we are not chaining or the first CNAME
-				 * is a synthesised CNAME before the DNAME.
-				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
-				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
-					if (aflag == DNS_RDATASETATTR_ANSWER) {
-						have_answer = ISC_TRUE;
-						found_dname = ISC_TRUE;
-						if (cname != NULL &&
-						    synthcname)
-						{
-							cname->attributes &=
-							   ~DNS_NAMEATTR_ANSWER;
-						}
-						name->attributes |=
-							DNS_NAMEATTR_ANSWER;
-					}
-					rdataset->attributes |= aflag;
-					if (aa)
-						rdataset->trust =
-						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
-				}
+				dname = name;
+				drdataset = rdataset;
+				dname_labels = nlabels;
+				break;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (dname != NULL) {
+		aname = NULL;
+		ardataset = NULL;
+		cname = NULL;
+		crdataset = NULL;
+	} else if (aname != NULL) {
+		cname = NULL;
+		crdataset = NULL;
+	}
+
+	aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0);
+	trust = aa ? dns_trust_authanswer : dns_trust_answer;
+
+	if (aname != NULL && type == dns_rdatatype_any) {
+		for (rdataset = ISC_LIST_HEAD(aname->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (!validinanswer(rdataset, fctx)) {
+				return (DNS_R_FORMERR);
+			}
+			if ((fctx->type == dns_rdatatype_sig ||
+			     fctx->type == dns_rdatatype_rrsig) &&
+			     rdataset->type != fctx->type)
+			{
+				continue;
+			}
+			if ((rdataset->type == dns_rdatatype_a ||
+			     rdataset->type == dns_rdatatype_aaaa) &&
+			    !is_answeraddress_allowed(view, aname, rdataset))
+			{
+				return (DNS_R_SERVFAIL);
+			}
+			if ((rdataset->type == dns_rdatatype_cname ||
+			     rdataset->type == dns_rdatatype_dname) &&
+			     !is_answertarget_allowed(fctx, qname, aname,
+						      rdataset, NULL))
+			{
+				return (DNS_R_SERVFAIL);
 			}
-
-			/*
-			 * DNAME chaining.
-			 */
-			if (dnameset != NULL) {
-				if (!synthcname) {
-					/*
-					 * Copy the dname into the qname fixed
-					 * name.
-					 *
-					 * Although we check for failure of the
-					 * copy operation, in practice it
-					 * should never fail since we already
-					 * know that the result fits in a
-					 * fixedname.
-					 */
-					dns_fixedname_init(&fqname);
-					qname = dns_fixedname_name(&fqname);
-					result = dns_name_copy(dname, qname,
-							       NULL);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-				}
-				wanted_chaining = ISC_TRUE;
-				name->attributes |= DNS_NAMEATTR_CHAINING;
-				dnameset->attributes |=
-					    DNS_RDATASETATTR_CHAINING;
+			aname->attributes |= DNS_NAMEATTR_CACHE;
+			aname->attributes |= DNS_NAMEATTR_ANSWER;
+			rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+			rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			rdataset->trust = trust;
+			(void)dns_rdataset_additionaldata(rdataset,
+							  check_related,
+							  fctx);
+		}
+	} else if (aname != NULL) {
+		if (!validinanswer(ardataset, fctx))
+			return (DNS_R_FORMERR);
+		if ((ardataset->type == dns_rdatatype_a ||
+		     ardataset->type == dns_rdatatype_aaaa) &&
+		    !is_answeraddress_allowed(view, aname, ardataset)) {
+			return (DNS_R_SERVFAIL);
+		}
+		if ((ardataset->type == dns_rdatatype_cname ||
+		     ardataset->type == dns_rdatatype_dname) &&
+		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
+					      NULL))
+		{
+			return (DNS_R_SERVFAIL);
+		}
+		aname->attributes |= DNS_NAMEATTR_CACHE;
+		aname->attributes |= DNS_NAMEATTR_ANSWER;
+		ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		ardataset->attributes |= DNS_RDATASETATTR_CACHE;
+		ardataset->trust = trust;
+		(void)dns_rdataset_additionaldata(ardataset, check_related,
+						  fctx);
+		for (sigrdataset = ISC_LIST_HEAD(aname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+			if (!validinanswer(sigrdataset, fctx))
+				return (DNS_R_FORMERR);
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != type)
+				continue;
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+	} else if (cname != NULL) {
+		if (!validinanswer(crdataset, fctx)) {
+			return (DNS_R_FORMERR);
+		}
+		if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key ||
+		    type == dns_rdatatype_nsec)
+		{
+			char buf[DNS_RDATATYPE_FORMATSIZE];
+			dns_rdatatype_format(type, buf, sizeof(buf));
+			log_formerr(fctx, "CNAME response for %s RR", buf);
+			return (DNS_R_FORMERR);
+		}
+		if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+					     NULL))
+		{
+			return (DNS_R_SERVFAIL);
+		}
+		cname->attributes |= DNS_NAMEATTR_CACHE;
+		cname->attributes |= DNS_NAMEATTR_ANSWER;
+		cname->attributes |= DNS_NAMEATTR_CHAINING;
+		crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		crdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+		crdataset->trust = trust;
+		for (sigrdataset = ISC_LIST_HEAD(cname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (!validinanswer(sigrdataset, fctx)) {
+				return (DNS_R_FORMERR);
 			}
-			/*
-			 * Ensure that we can't ever get chaining == 1
-			 * above if we have processed a DNAME.
-			 */
-			if (wanted_chaining && chaining < 2U)
-				chaining += 2;
-		}
-		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * We should have found an answer.
-	 */
-	if (!have_answer) {
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != dns_rdatatype_cname)
+			{
+				continue;
+			}
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+		chaining = ISC_TRUE;
+	} else if (dname != NULL) {
+		if (!validinanswer(drdataset, fctx)) {
+			return (DNS_R_FORMERR);
+		}
+		if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+					     &chaining)) {
+			return (DNS_R_SERVFAIL);
+		}
+		dname->attributes |= DNS_NAMEATTR_CACHE;
+		dname->attributes |= DNS_NAMEATTR_ANSWER;
+		dname->attributes |= DNS_NAMEATTR_CHAINING;
+		drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		drdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+		drdataset->trust = trust;
+		for (sigrdataset = ISC_LIST_HEAD(dname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (!validinanswer(sigrdataset, fctx)) {
+				return (DNS_R_FORMERR);
+			}
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != dns_rdatatype_dname)
+			{
+				continue;
+			}
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+	} else {
 		log_formerr(fctx, "reply has no answer");
 		return (DNS_R_FORMERR);
 	}
@@ -7244,14 +7048,8 @@
 	/*
 	 * Did chaining end before we got the final answer?
 	 */
-	if (chaining != 0) {
-		/*
-		 * Yes.  This may be a negative reply, so hand off
-		 * authority section processing to the noanswer code.
-		 * If it isn't a noanswer response, no harm will be
-		 * done.
-		 */
-		return (noanswer_response(fctx, qname, 0));
+	if (chaining) {
+		return (ISC_R_SUCCESS);
 	}
 
 	/*
@@ -7270,11 +7068,9 @@
 	 * We expect there to be only one owner name for all the rdatasets
 	 * in this section, and we expect that it is not external.
 	 */
-	done = ISC_FALSE;
-	ns_name = NULL;
-	ns_rdataset = NULL;
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (!done && result == ISC_R_SUCCESS) {
+		isc_boolean_t external;
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
@@ -7293,12 +7089,13 @@
 						DNS_NAMEATTR_CACHE;
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
-					if (aa && chaining == 0)
+					if (aa && !chaining) {
 						rdataset->trust =
 						    dns_trust_authauthority;
-					else
+					} else {
 						rdataset->trust =
 						    dns_trust_additional;
+					}
 
 					if (rdataset->type == dns_rdatatype_ns)
 					{
@@ -8099,6 +7896,7 @@
 	 * Is the remote server broken, or does it dislike us?
 	 */
 	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_yxdomain &&
 	    message->rcode != dns_rcode_nxdomain) {
 		isc_buffer_t b;
 		char code[64];
@@ -8163,13 +7961,6 @@
 				log_formerr(fctx, "server sent FORMERR");
 				result = DNS_R_FORMERR;
 			}
-		} else if (message->rcode == dns_rcode_yxdomain) {
-			/*
-			 * DNAME mapping failed because the new name
-			 * was too long.  There's no chance of success
-			 * for this fetch.
-			 */
-			result = DNS_R_YXDOMAIN;
 		} else if (message->rcode == dns_rcode_badvers) {
 			unsigned int flags, mask;
 			unsigned int version;
@@ -8328,6 +8119,7 @@
 	 */
 	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
 	    (message->rcode == dns_rcode_noerror ||
+	     message->rcode == dns_rcode_yxdomain ||
 	     message->rcode == dns_rcode_nxdomain)) {
 		/*
 		 * [normal case]
--- a/external/bsd/bind/dist/lib/isc/include/isc/lex.h	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/lib/isc/include/isc/lex.h	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: lex.h,v 1.3 2012/06/05 00:42:36 christos Exp $	*/
+/*	$NetBSD: lex.h,v 1.3.12.1 2017/04/21 05:23:21 snj Exp $	*/
 
 /*
  * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
@@ -154,8 +154,6 @@
  * Requires:
  *\li	'*lexp' is a valid lexer.
  *
- *\li	max_token > 0.
- *
  * Ensures:
  *\li	On success, *lexp is attached to the newly created lexer.
  *
--- a/external/bsd/bind/dist/lib/isc/lex.c	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/lib/isc/lex.c	Fri Apr 21 05:23:16 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: lex.c,v 1.5.4.1 2016/03/13 08:06:14 martin Exp $	*/
+/*	$NetBSD: lex.c,v 1.5.4.2 2017/04/21 05:23:21 snj Exp $	*/
 
 /*
  * Copyright (C) 2004, 2005, 2007, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -96,9 +96,10 @@
 	/*
 	 * Create a lexer.
 	 */
+	REQUIRE(lexp != NULL && *lexp == NULL);
 
-	REQUIRE(lexp != NULL && *lexp == NULL);
-	REQUIRE(max_token > 0U);
+	if (max_token == 0U)
+		max_token = 1;
 
 	lex = isc_mem_get(mctx, sizeof(*lex));
 	if (lex == NULL)
--- a/external/bsd/bind/dist/srcid	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/srcid	Fri Apr 21 05:23:16 2017 +0000
@@ -1,1 +1,1 @@
-SRCID=a6837d0
+SRCID=9f5232e
--- a/external/bsd/bind/dist/version	Thu Apr 20 07:07:28 2017 +0000
+++ b/external/bsd/bind/dist/version	Fri Apr 21 05:23:16 2017 +0000
@@ -7,5 +7,5 @@
 MINORVER=10
 PATCHVER=4
 RELEASETYPE=-P
-RELEASEVER=6
+RELEASEVER=8
 EXTENSIONS=