merge for bind 9.10.0-P2, first go trunk
authorspz <spz@NetBSD.org>
Tue, 08 Jul 2014 05:43:37 +0000
branchtrunk
changeset 228258 20fb967cfb11
parent 228257 973173bdfdb3
child 228259 6bedea91c3f8
merge for bind 9.10.0-P2, first go
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/Makefile.in
external/bsd/bind/dist/bin/check/named-checkconf.8
external/bsd/bind/dist/bin/check/named-checkconf.c
external/bsd/bind/dist/bin/check/named-checkzone.8
external/bsd/bind/dist/bin/confgen/ddns-confgen.8
external/bsd/bind/dist/bin/confgen/ddns-confgen.c
external/bsd/bind/dist/bin/confgen/keygen.c
external/bsd/bind/dist/bin/confgen/rndc-confgen.8
external/bsd/bind/dist/bin/delv/delv.c
external/bsd/bind/dist/bin/delve/Makefile.in
external/bsd/bind/dist/bin/delve/delve.1
external/bsd/bind/dist/bin/delve/delve.c
external/bsd/bind/dist/bin/delve/delve.docbook
external/bsd/bind/dist/bin/delve/delve.html
external/bsd/bind/dist/bin/dig/dig.1
external/bsd/bind/dist/bin/dig/dig.c
external/bsd/bind/dist/bin/dig/dighost.c
external/bsd/bind/dist/bin/dig/host.1
external/bsd/bind/dist/bin/dig/host.c
external/bsd/bind/dist/bin/dig/nslookup.1
external/bsd/bind/dist/bin/dig/nslookup.c
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
external/bsd/bind/dist/bin/dnssec/dnssec-settime.8
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.8
external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
external/bsd/bind/dist/bin/named/bind9.xsl.h
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/controlconf.c
external/bsd/bind/dist/bin/named/include/named/server.h
external/bsd/bind/dist/bin/named/interfacemgr.c
external/bsd/bind/dist/bin/named/lwresd.8
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/named.8
external/bsd/bind/dist/bin/named/named.conf.5
external/bsd/bind/dist/bin/named/named.conf.docbook
external/bsd/bind/dist/bin/named/named.conf.html
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/statschannel.c
external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c
external/bsd/bind/dist/bin/named/unix/os.c
external/bsd/bind/dist/bin/named/win32/dlz_dlopen_driver.c
external/bsd/bind/dist/bin/named/win32/ntservice.c
external/bsd/bind/dist/bin/named/win32/os.c
external/bsd/bind/dist/bin/nsupdate/nsupdate.1
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1f-patch
external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.c
external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.c
external/bsd/bind/dist/bin/pkcs11/pkcs11-list.c
external/bsd/bind/dist/bin/python/dnssec-checkds.8
external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
external/bsd/bind/dist/bin/python/win32.py
external/bsd/bind/dist/bin/rndc/rndc.8
external/bsd/bind/dist/bin/rndc/rndc.c
external/bsd/bind/dist/bin/rndc/rndc.conf.5
external/bsd/bind/dist/bin/tests/makejournal.c
external/bsd/bind/dist/bin/tests/resolver/t_resolver.c
external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db
external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private
external/bsd/bind/dist/bin/tests/system/testsock6.pl
external/bsd/bind/dist/bin/tests/tasks/t_tasks.c
external/bsd/bind/dist/bin/tests/zone_test.c
external/bsd/bind/dist/bin/tools/arpaname.1
external/bsd/bind/dist/bin/tools/genrandom.8
external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8
external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c
external/bsd/bind/dist/bin/tools/named-journalprint.8
external/bsd/bind/dist/bin/tools/nsec3hash.8
external/bsd/bind/dist/bin/tools/nsec3hash.c
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/configure.in
external/bsd/bind/dist/contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h
external/bsd/bind/dist/contrib/dlz/example/dlz_example.c
external/bsd/bind/dist/contrib/dlz/modules/include/dlz_list.h
external/bsd/bind/dist/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c
external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c
external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls
external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/arm/man.delve.html
external/bsd/bind/dist/doc/misc/options
external/bsd/bind/dist/isc-config.sh.1
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/dns/adb.c
external/bsd/bind/dist/lib/dns/cache.c
external/bsd/bind/dist/lib/dns/client.c
external/bsd/bind/dist/lib/dns/dispatch.c
external/bsd/bind/dist/lib/dns/ds.c
external/bsd/bind/dist/lib/dns/dst_api.c
external/bsd/bind/dist/lib/dns/dst_internal.h
external/bsd/bind/dist/lib/dns/dst_result.c
external/bsd/bind/dist/lib/dns/ecdb.c
external/bsd/bind/dist/lib/dns/gssapictx.c
external/bsd/bind/dist/lib/dns/include/dns/dns64.h
external/bsd/bind/dist/lib/dns/include/dns/message.h
external/bsd/bind/dist/lib/dns/include/dns/resolver.h
external/bsd/bind/dist/lib/dns/include/dns/stats.h
external/bsd/bind/dist/lib/dns/include/dns/view.h
external/bsd/bind/dist/lib/dns/include/dns/zone.h
external/bsd/bind/dist/lib/dns/keytable.c
external/bsd/bind/dist/lib/dns/lib.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/name.c
external/bsd/bind/dist/lib/dns/openssl_link.c
external/bsd/bind/dist/lib/dns/opensslecdsa_link.c
external/bsd/bind/dist/lib/dns/opensslgost_link.c
external/bsd/bind/dist/lib/dns/peer.c
external/bsd/bind/dist/lib/dns/rbt.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c
external/bsd/bind/dist/lib/dns/rdataslab.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/rootns.c
external/bsd/bind/dist/lib/dns/rpz.c
external/bsd/bind/dist/lib/dns/tests/rdata_test.c
external/bsd/bind/dist/lib/dns/view.c
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/irs/context.c
external/bsd/bind/dist/lib/irs/gai_strerror.c
external/bsd/bind/dist/lib/irs/getaddrinfo.c
external/bsd/bind/dist/lib/irs/resconf.c
external/bsd/bind/dist/lib/isc/app_api.c
external/bsd/bind/dist/lib/isc/backtrace.c
external/bsd/bind/dist/lib/isc/event.c
external/bsd/bind/dist/lib/isc/hash.c
external/bsd/bind/dist/lib/isc/hmacmd5.c
external/bsd/bind/dist/lib/isc/hmacsha.c
external/bsd/bind/dist/lib/isc/httpd.c
external/bsd/bind/dist/lib/isc/include/isc/app.h
external/bsd/bind/dist/lib/isc/include/isc/base32.h
external/bsd/bind/dist/lib/isc/include/isc/buffer.h
external/bsd/bind/dist/lib/isc/include/isc/event.h
external/bsd/bind/dist/lib/isc/include/isc/mem.h
external/bsd/bind/dist/lib/isc/include/isc/queue.h
external/bsd/bind/dist/lib/isc/include/isc/radix.h
external/bsd/bind/dist/lib/isc/include/isc/resultclass.h
external/bsd/bind/dist/lib/isc/include/isc/task.h
external/bsd/bind/dist/lib/isc/include/isc/timer.h
external/bsd/bind/dist/lib/isc/include/isc/util.h
external/bsd/bind/dist/lib/isc/lib.c
external/bsd/bind/dist/lib/isc/md5.c
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/pthreads/mutex.c
external/bsd/bind/dist/lib/isc/regex.c
external/bsd/bind/dist/lib/isc/rwlock.c
external/bsd/bind/dist/lib/isc/sha1.c
external/bsd/bind/dist/lib/isc/sha2.c
external/bsd/bind/dist/lib/isc/socket_api.c
external/bsd/bind/dist/lib/isc/task.c
external/bsd/bind/dist/lib/isc/task_p.h
external/bsd/bind/dist/lib/isc/timer.c
external/bsd/bind/dist/lib/isc/unix/app.c
external/bsd/bind/dist/lib/isc/unix/include/isc/stat.h
external/bsd/bind/dist/lib/isc/unix/net.c
external/bsd/bind/dist/lib/isc/unix/socket.c
external/bsd/bind/dist/lib/isc/win32/app.c
external/bsd/bind/dist/lib/isc/win32/include/isc/mutex.h
external/bsd/bind/dist/lib/isc/win32/include/isc/net.h
external/bsd/bind/dist/lib/isc/win32/net.c
external/bsd/bind/dist/lib/isc/win32/ntpaths.c
external/bsd/bind/dist/lib/isc/win32/socket.c
external/bsd/bind/dist/lib/isc/win32/syslog.c
external/bsd/bind/dist/lib/isccfg/aclconf.c
external/bsd/bind/dist/lib/isccfg/include/isccfg/aclconf.h
external/bsd/bind/dist/lib/isccfg/namedconf.c
external/bsd/bind/dist/lib/isccfg/parser.c
external/bsd/bind/dist/lib/lwres/getnameinfo.c
external/bsd/bind/dist/lib/lwres/include/lwres/lwres.h
external/bsd/bind/dist/lib/lwres/man/lwres.3
external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3
external/bsd/bind/dist/lib/lwres/man/lwres_config.3
external/bsd/bind/dist/lib/lwres/man/lwres_context.3
external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3
external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3
external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3
external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3
external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3
external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3
external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3
external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3
external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3
external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3
external/bsd/bind/dist/lib/lwres/man/lwres_noop.3
external/bsd/bind/dist/lib/lwres/man/lwres_packet.3
external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3
external/bsd/bind/dist/lib/lwres/win32/include/lwres/net.h
external/bsd/bind/dist/lib/lwres/win32/include/lwres/platform.h
external/bsd/bind/dist/make/rules.in
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
external/bsd/bind/dist/win32utils/legacy/BINDBuild.dsw.in
--- a/external/bsd/bind/dist/CHANGES	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/CHANGES	Tue Jul 08 05:43:37 2014 +0000
@@ -1,3 +1,224 @@
+	--- 9.10.0-P2 released ---
+
+3861.	[security]	Missing isc_buffer_availablelength check results
+			in a REQUIRE assertion when printing out a packet
+			(CVE-2014-3859).  [RT #36078]
+
+3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
+			[RT #35968]
+
+3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to seperate out
+			the handling of a rdataset with no records. [RT #35968]
+
+3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
+			[RT #35979]
+
+3843.	[bug]		Use the x64 version of the Microsoft Visual C++
+			Redistributable when built for 64 bit Windows.
+			[RT #35973]
+
+3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
+
+	--- 9.10.0-P1 released ---
+
+3837.	[security]	A NULL pointer is passed to query_prefetch resulting
+			a REQUIRE assertion failure when a fetch is actually
+			initiated (CVE-2014-3214).  [RT #35899]
+
+	--- 9.10.0 released ---
+
+3824.	[bug]		A collision between two flag values could cause
+			problems with cache cleaning when SIT was enabled.
+			[RT #35858]
+
+	--- 9.10.0rc2 released ---
+
+3817.	[func]		The "delve" command is now spelled "delv" to avoid
+			a namespace collision with the Xapian project.
+			[RT #35801]
+
+3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
+
+3810.	[bug]		Work around broken nameservers that fail to ignore
+			unknown EDNS options. [RT #35766]
+
+3809.	[doc]		Fix SIT and NSID documentation.
+
+3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
+
+3807.	[bug]		Fix sign extention bug in dns_name_fromtext when
+			lowercase is set. [RT #35743]
+
+3806.	[test]		Improved system test portability. [RT #35625]
+
+3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
+			for DNS over TCP. [RT #35710]
+
+	--- 9.10.0rc1 released ---
+
+3804.	[bug]		Corrected a race condition in dispatch.c in which
+			portentry could be reset leading to an assertion
+			failure in socket_search(). (Change #3708
+			addressed the same issue but was incomplete.)
+			[RT #35128]
+
+3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
+			using alternate data sources for not having a "file"
+			option. [RT #35685]
+
+3802.	[bug]		Various header files were not being installed.
+
+3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
+
+3800.	[bug]		A pending event on the route socket could cause an
+			assertion failure when shutting down named. [RT #35674]
+
+3799.	[bug]		Improve named's command line error reporting.
+			[RT #35603]
+
+3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
+			time. [RT #35659]
+
+3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
+
+3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
+
+3795.	[bug]		Make named-checkconf detect raw masterfiles for
+			hint zones and reject them. [RT #35268]
+
+3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
+
+3793.	[bug]		zone.c:save_nsec3param() could assert when out of
+			memory. [RT #35621]
+
+3792.	[func]		Provide links to the alternate statistics views when
+			displaying in a browser.  [RT #35605]
+
+3791.	[placeholder]
+
+3790.	[bug]		Handle broken nameservers that send BADVERS in
+			response to unknown EDNS options.  Maintain
+			statistics on BADVERS responses.
+
+3789.	[bug]		Null pointer dereference on rbt creation failure.
+
+3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
+			mistake.
+
+	--- 9.10.0b2 released ---
+
+3787.	[bug]		The code that checks whether "auto-dnssec" is
+			allowed was ignoring "allow-update" ACLs set at
+			the options or view level. [RT #29536]
+
+3786.	[func]		Provide more detailed error codes when using
+			native PKCS#11. "pkcs11-tokens" now fails robustly
+			rather than asserting when run against an HSM with
+			an incomplete PKCS#11 API implementation. [RT #35479]
+
+3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
+			input (only compiled with -DDEBUG). [RT #35544]
+
+3784.	[bug]		Using "rrset-order fixed" when it had not been
+			enabled at compile time caused inconsistent
+			results. It now works as documented, defaulting
+			to cyclic mode. [RT #28104]
+
+3783.	[func]		"tsig-keygen" is now available as an alternate
+			command name for "ddns-confgen".  It generates
+			a TSIG key in named.conf format without comments.
+			[RT #35503]
+
+3782.	[func]		Specifying "auto" as the salt when using
+			"rndc signing -nsec3param" causes named to
+			generate a 64-bit salt at random. [RT #35322]
+
+3781.	[tuning]	Use adaptive mutex locks when available; this
+			has been found to improve performance under load
+			on many systems. "configure --with-locktype=standard"
+			restores conventional mutex locks. [RT #32576]
+
+3780.	[bug]		$GENERATE handled negative numbers incorrectly.
+			[RT #25528]
+
+3779.	[cleanup]	Clarify the error message when using an option
+			that was not enabled at compile time. [RT #35504]
+
+3778.	[bug]		Log a warning when the wrong address family is
+			used in "listen-on" or "listen-on-v6". [RT #17848]
+
+3777.	[bug]		EDNS EXPIRE code could dump core when processing
+			DLZ queries. [RT #35493]
+
+3776.	[func]		"rndc -q" suppresses output from successful
+			rndc commands. Errors are printed on stderr.
+			[RT #21393]
+
+3775.	[bug]		dlz_dlopen driver could return the wrong error
+			code on API version mismatch, leading to a segfault.
+			[RT #35495]
+
+3774.	[func]		When using "request-nsid", log the NSID value in
+			printable form as well as hex. [RT #20864]
+
+3773.	[func]		"host", "nslookup" and "nsupdate" now have
+			options to print the version number and exit.
+			[RT #26057]
+
+3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
+			(Based in part on a contribution from Tim Tessier.)
+			[RT #20822]
+
+3771.	[cleanup]	Adjusted log level for "using built-in key"
+			messages. [RT #24383]
+
+3770.	[bug]		"dig +trace" could fail with an assertion when it
+			needed to fall back to TCP due to a truncated
+			response. [RT #24660]
+
+3769.	[doc]		Improved documentation of "rndc signing -list".
+			[RT #30652]
+
+3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
+			algorithm. [RT #34000]
+
+3767.	[func]		Log explicitly when using rndc.key to configure
+			command channel. [RT #35316]
+
+3766.	[cleanup]	Fixed problems with building outside the source
+			tree when using native PKCS#11. [RT #35459]
+
+3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
+			named when dumping an empty keynode. [RT #35469]
+
+3764.	[bug]		The dnssec-keygen/settime -S and -i options
+			(to set up a successor key and set the prepublication
+			interval) were missing from dnssec-keyfromlabel.
+			[RT #35394]
+
+3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
+			re-fetch them when restarting validation. [RT #35476]
+
+3762.	[bug]		Address build problems with --pkcs11-native +
+			--with-openssl with ECDSA support. [RT #35467]
+
+3761.	[bug]		Address dangling reference bug in dns_keytable_add.
+			[RT #35471]
+
+3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
+			[RT #35433]
+
+3759.	[port]		Enable delve on Windows. [RT #35441]
+
+3758.	[port]		Enable export library APIs on Windows. [RT #35382]
+
+3757.	[port]		Enable Python tools (dnssec-coverage,
+			dnssec-checkds) to run on Windows. [RT #34355]
+
+3756.	[bug]		GSSAPI Kerberos realm checking was broken in
+			check_config leading to spurious messages being
+			logged.  [RT #35443]
+
 	--- 9.10.0b1 released ---
 
 3755.	[func]		Add stats counters for known EDNS options + others.
@@ -81,8 +302,7 @@
 			same resolver and validator logic as named. This
 			allows easy validation of DNSSEC data in environments
 			with untrustworthy resolvers, and assists with
-			troubleshooting of DNSSEC problems. (Note: not yet
-			available on win32.) [RT #32406]
+			troubleshooting of DNSSEC problems. [RT #32406]
 
 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
@@ -1447,7 +1667,7 @@
 			     when queryperf is available.
 			 - the encoding of PASSTHRU action to "rpz-passthru".
 			     (The old encoding is still accepted.)
-		       [RT #26172]
+			[RT #26172]
 
 
 3329.	[bug]		Handle RRSIG signer-name case consistently: We
--- a/external/bsd/bind/dist/Makefile.in	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/Makefile.in	Tue Jul 08 05:43:37 2014 +0000
@@ -21,7 +21,7 @@
 
 @BIND9_VERSION@
 
-SUBDIRS =	make unit lib bin doc
+SUBDIRS =	make unit lib bin doc @LIBEXPORT@
 TARGETS =
 PREREQS =	bind.keys.h
 
--- a/external/bsd/bind/dist/bin/check/named-checkconf.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: named-checkconf.8,v 1.4 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: named-checkconf.8,v 1.5 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: named\-checkconf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 14, 2000
+.\"      Date: January 10, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
+.TH "NAMED\-CHECKCONF" "8" "January 10, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: named-checkconf.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -145,18 +145,6 @@
 }
 
 static isc_result_t
-config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-	}
-}
-
-static isc_result_t
 configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 	isc_result_t result;
 	dns_db_t *db = NULL;
@@ -192,10 +180,12 @@
 	const char *zname;
 	const char *zfile = NULL;
 	const cfg_obj_t *maps[4];
+	const cfg_obj_t *mastersobj = NULL;
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
 	const cfg_obj_t *typeobj = NULL;
 	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *dlzobj = NULL;
 	const cfg_obj_t *dbobj = NULL;
 	const cfg_obj_t *obj = NULL;
 	const cfg_obj_t *fmtobj = NULL;
@@ -226,6 +216,19 @@
 	if (typeobj == NULL)
 		return (ISC_R_FAILURE);
 
+	/*
+	 * Skip checks when using an alternate data source.
+	 */
+	cfg_map_get(zoptions, "database", &dbobj);
+	if (dbobj != NULL &&
+	    strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
+	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
+		return (ISC_R_SUCCESS);
+
+	cfg_map_get(zoptions, "dlz", &dlzobj);
+	if (dlzobj != NULL)
+		return (ISC_R_SUCCESS);
+
 	cfg_map_get(zoptions, "file", &fileobj);
 	if (fileobj != NULL)
 		zfile = cfg_obj_asstring(fileobj);
@@ -241,13 +244,18 @@
 		  (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
 		return (ISC_R_SUCCESS);
 
+	/*
+	 * Is the redirect zone configured as a slave?
+	 */
+	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
+		cfg_map_get(zoptions, "masters", &mastersobj);
+		if (mastersobj != NULL)
+			return (ISC_R_SUCCESS);
+	}
+
 	if (zfile == NULL)
 		return (ISC_R_FAILURE);
 
-	cfg_map_get(zoptions, "database", &dbobj);
-	if (dbobj != NULL)
-		return (ISC_R_SUCCESS);
-
 	obj = NULL;
 	if (get_maps(maps, "check-dup-records", &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@@ -369,8 +377,7 @@
 
 	masterformat = dns_masterformat_text;
 	fmtobj = NULL;
-	result = config_get(maps, "masterfile-format", &fmtobj);
-	if (result == ISC_R_SUCCESS) {
+	if (get_maps(maps, "masterfile-format", &fmtobj)) {
 		const char *masterformatstr = cfg_obj_asstring(fmtobj);
 		if (strcasecmp(masterformatstr, "text") == 0)
 			masterformat = dns_masterformat_text;
--- a/external/bsd/bind/dist/bin/check/named-checkzone.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: named-checkzone.8,v 1.5 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: named-checkzone.8,v 1.6 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2007, 2009-2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: named\-checkzone
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 13, 2000
+.\"      Date: February 19, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
+.TH "NAMED\-CHECKZONE" "8" "February 19, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/confgen/ddns-confgen.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/confgen/ddns-confgen.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: ddns-confgen.8,v 1.3 2012/06/05 00:38:50 christos Exp $
+.\"	$NetBSD: ddns-confgen.8,v 1.4 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -21,11 +21,11 @@
 .\"     Title: ddns\-confgen
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jan 29, 2009
+.\"      Date: March 6, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
+.TH "DDNS\-CONFGEN" "8" "March 6, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -33,34 +33,39 @@
 .SH "NAME"
 ddns\-confgen \- ddns key generation tool
 .SH "SYNOPSIS"
+.HP 12
+\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [name]
 .HP 13
-\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
 .SH "DESCRIPTION"
 .PP
+\fBtsig\-keygen\fR
+and
 \fBddns\-confgen\fR
-generates a key for use by
-\fBnsupdate\fR
-and
-\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
+are invokation methods for a utility that generates keys for use in TSIG signing. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
+\fBrndc\fR
+command channel.
+.PP
+When run as
+\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key. If no name is specified, the default is
+\fBtsig\-key\fR.
+.PP
+When run as
+\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
 \fBnsupdate\fR
 and
-\fBnamed.conf\fR
-syntax that will be needed to use it, including an example
+\fBnamed\fR
+when setting up dynamic DNS, including an example
 \fBupdate\-policy\fR
-statement.
-.PP
-If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
-\fBnamed.conf\fR
-syntax. For example,
-\fBddns\-confgen example.com\fR
-would generate a key called "ddns\-key.example.com", and sample
-\fBnamed.conf\fR
-command that could be used in the zone definition for "example.com".
+statement. (This usage similar to the
+\fBrndc\-confgen\fR
+command for setting up command channel security.)
 .PP
 Note that
 \fBnamed\fR
 itself can configure a local DDNS key for use with
-\fBnsupdate \-l\fR.
+\fBnsupdate \-l\fR: it does this when a zone is configured with
+\fBupdate\-policy local;\fR.
 \fBddns\-confgen\fR
 is only needed when a more elaborate configuration is required: for instance, if
 \fBnsupdate\fR
@@ -69,13 +74,12 @@
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
+Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256. Options are case\-insensitive, and the "hmac\-" prefix may be omitted.
 .RE
 .PP
 \-h
 .RS 4
-Prints a short summary of the options and arguments to
-\fBddns\-confgen\fR.
+Prints a short summary of options and arguments.
 .RE
 .PP
 \-k \fIkeyname\fR
@@ -95,7 +99,9 @@
 .PP
 \-q
 .RS 4
-Quiet mode: Print only the key, with no explanatory text or usage examples.
+(\fBddns\-confgen\fR
+only.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
+\fBtsig\-keygen\fR.
 .RE
 .PP
 \-r \fIrandomfile\fR
@@ -111,7 +117,8 @@
 .PP
 \-s \fIname\fR
 .RS 4
-Single host mode: The example
+(\fBddns\-confgen\fR
+only.) Generate configuration example to allow dynamic updates of a single hostname. The example
 \fBnamed.conf\fR
 text shows how to set an update policy for the specified
 \fIname\fR
@@ -122,7 +129,8 @@
 .PP
 \-z \fIzone\fR
 .RS 4
-zone mode: The example
+(\fBddns\-confgen\fR
+only.) Generate configuration example to allow dynamic updates of a zone: The example
 \fBnamed.conf\fR
 text shows how to set an update policy for the specified
 \fIzone\fR
@@ -141,5 +149,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/confgen/ddns-confgen.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/confgen/ddns-confgen.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ddns-confgen.c,v 1.6 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: ddns-confgen.c,v 1.7 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2009, 2011, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -16,8 +16,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: ddns-confgen.c,v 1.11 2011/03/12 04:59:46 tbox Exp  */
-
 /*! \file */
 
 /**
@@ -46,8 +44,13 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
+#include <dns/result.h>
 
 #include <dst/dst.h>
 #include <confgen/os.h>
@@ -55,20 +58,21 @@
 #include "util.h"
 #include "keygen.h"
 
-#define DEFAULT_KEYNAME		"ddns-key"
+#define KEYGEN_DEFAULT		"tsig-key"
+#define CONFGEN_DEFAULT		"ddns-key"
 
 static char program[256];
 const char *progname;
-
-isc_boolean_t verbose = ISC_FALSE;
+static enum { progmode_keygen, progmode_confgen} progmode;
+isc_boolean_t verbose = ISC_FALSE; /* needed by util.c but not used here */
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(int status) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(int status) {
-
-	fprintf(stderr, "\
+	if (progmode == progmode_confgen) {
+		fprintf(stderr, "\
 Usage:\n\
  %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
   -a alg:        algorithm (default hmac-sha256)\n\
@@ -77,39 +81,70 @@
   -s name:       domain name to be updated using the created key\n\
   -z zone:       name of the zone as it will be used in named.conf\n\
   -q:            quiet mode: print the key, with no explanatory text\n",
-		 progname);
+			 progname);
+	} else {
+		fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-r randomfile] [keyname]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n",
+			 progname);
+	}
 
 	exit (status);
 }
 
 int
 main(int argc, char **argv) {
+	isc_result_t result = ISC_R_SUCCESS;
 	isc_boolean_t show_final_mem = ISC_FALSE;
 	isc_boolean_t quiet = ISC_FALSE;
 	isc_buffer_t key_txtbuffer;
 	char key_txtsecret[256];
 	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
 	const char *randomfile = NULL;
 	const char *keyname = NULL;
 	const char *zone = NULL;
 	const char *self_domain = NULL;
 	char *keybuf = NULL;
 	dns_secalg_t alg = DST_ALG_HMACSHA256;
-	const char *algname = alg_totext(alg);
+	const char *algname;
 	int keysize = 256;
 	int len = 0;
 	int ch;
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
+	dns_result_register();
+
 	result = isc_file_progname(*argv, program, sizeof(program));
 	if (result != ISC_R_SUCCESS)
-		memmove(program, "ddns-confgen", 13);
+		memmove(program, "tsig-keygen", 11);
 	progname = program;
 
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(progname, "lt-", 3) == 0)
+		progname += 3;
+
+#define PROGCMP(X) \
+	(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
+
+	if (PROGCMP("tsig-keygen")) {
+		progmode = progmode_keygen;
+		quiet = ISC_TRUE;
+	} else if (PROGCMP("ddns-confgen"))
+		progmode = progmode_confgen;
+	else
+		INSIST(0);
+
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:hk:Mmr:qs:Vy:z:")) != -1) {
+					   "a:hk:Mmr:qs:y:z:")) != -1) {
 		switch (ch) {
 		case 'a':
 			algname = isc_commandline_argument;
@@ -122,7 +157,10 @@
 			usage(0);
 		case 'k':
 		case 'y':
-			keyname = isc_commandline_argument;
+			if (progmode == progmode_confgen)
+				keyname = isc_commandline_argument;
+			else
+				usage(1);
 			break;
 		case 'M':
 			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
@@ -131,19 +169,25 @@
 			show_final_mem = ISC_TRUE;
 			break;
 		case 'q':
-			quiet = ISC_TRUE;
+			if (progmode == progmode_confgen)
+				quiet = ISC_TRUE;
+			else
+				usage(1);
 			break;
 		case 'r':
 			randomfile = isc_commandline_argument;
 			break;
 		case 's':
-			self_domain = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = ISC_TRUE;
+			if (progmode == progmode_confgen)
+				self_domain = isc_commandline_argument;
+			else
+				usage(1);
 			break;
 		case 'z':
-			zone = isc_commandline_argument;
+			if (progmode == progmode_confgen)
+				zone = isc_commandline_argument;
+			else
+				usage(1);
 			break;
 		case '?':
 			if (isc_commandline_option != '?') {
@@ -160,22 +204,28 @@
 		}
 	}
 
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
+	if (progmode == progmode_keygen)
+		keyname = argv[isc_commandline_index++];
+
 	POST(argv);
 
 	if (self_domain != NULL && zone != NULL)
 		usage(1);	/* -s and -z cannot coexist */
 
-	if (argc > 0)
+	if (argc > isc_commandline_index)
 		usage(1);
 
+	/* Use canonical algorithm name */
+	algname = alg_totext(alg);
+
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
 
 	if (keyname == NULL) {
 		const char *suffix = NULL;
 
-		keyname = DEFAULT_KEYNAME;
+		keyname = ((progmode == progmode_keygen)
+			?  KEYGEN_DEFAULT
+			: CONFGEN_DEFAULT);
 		if (self_domain != NULL)
 			suffix = self_domain;
 		else if (zone != NULL)
--- a/external/bsd/bind/dist/bin/confgen/keygen.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/confgen/keygen.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: keygen.c,v 1.4 2013/07/27 19:23:09 christos Exp $	*/
+/*	$NetBSD: keygen.c,v 1.5 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -71,17 +71,21 @@
  */
 dns_secalg_t
 alg_fromtext(const char *name) {
-	if (strcmp(name, "hmac-md5") == 0)
+	const char *p = name;
+	if (strncasecmp(p, "hmac-", 5) == 0)
+		p = &name[5];
+
+	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
-	if (strcmp(name, "hmac-sha1") == 0)
+	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
-	if (strcmp(name, "hmac-sha224") == 0)
+	if (strcasecmp(p, "sha224") == 0)
 		return DST_ALG_HMACSHA224;
-	if (strcmp(name, "hmac-sha256") == 0)
+	if (strcasecmp(p, "sha256") == 0)
 		return DST_ALG_HMACSHA256;
-	if (strcmp(name, "hmac-sha384") == 0)
+	if (strcasecmp(p, "sha384") == 0)
 		return DST_ALG_HMACSHA384;
-	if (strcmp(name, "hmac-sha512") == 0)
+	if (strcasecmp(p, "sha512") == 0)
 		return DST_ALG_HMACSHA512;
 	return DST_ALG_UNKNOWN;
 }
--- a/external/bsd/bind/dist/bin/confgen/rndc-confgen.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/confgen/rndc-confgen.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: rndc-confgen.8,v 1.4 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: rndc-confgen.8,v 1.5 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -22,11 +22,11 @@
 .\"     Title: rndc\-confgen
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 27, 2001
+.\"      Date: March 14, 2013
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
+.TH "RNDC\-CONFGEN" "8" "March 14, 2013" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -212,7 +212,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/delv/delv.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/delv/delv.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: delv.c,v 1.1.1.1 2014/07/08 04:45:12 spz Exp $	*/
+/*	$NetBSD: delv.c,v 1.2 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -86,7 +86,7 @@
 		result = (r); \
 		if (result != ISC_R_SUCCESS) \
 			goto cleanup; \
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 #define MAXNAME (DNS_NAME_MAXTEXT+1)
 
@@ -704,7 +704,7 @@
 
 	if (filename == NULL) {
 #ifndef WIN32
-		filename = SYSCONFDIR "/bind.keys";
+		filename = NS_SYSCONFDIR "/bind.keys";
 #else
 		static char buf[MAX_PATH];
 		strlcpy(buf, isc_ntpaths_get(SYS_CONF_DIR), sizeof(buf));
@@ -990,7 +990,7 @@
 		size_t _l = strlen(cmd); \
 		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
 			goto invalid_option; \
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 	switch (cmd[0]) {
 	case 'a': /* all */
--- a/external/bsd/bind/dist/bin/delve/Makefile.in	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,84 +0,0 @@
-# Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =	-DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-IRSLIBS =	../../lib/irs/libirs.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-IRSDEPLIBS =	../../lib/irs/libirs.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
-NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	delve@EXEEXT@
-
-OBJS =		delve.@O@
-
-SRCS =		delve.c
-
-MANPAGES =	delve.1
-
-HTMLPAGES =	delve.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-delve@EXEEXT@: delve.@O@ ${DEPLIBS}
-	export BASEOBJS="delve.@O@"; \
-	export LIBS0="${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-#	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-#	delve.@O@ ${LIBS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
-install:: delve@EXEEXT@
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		delve@EXEEXT@ ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${srcdir}/delve.1 ${DESTDIR}${mandir}/man1
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
--- a/external/bsd/bind/dist/bin/delve/delve.1	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,418 +0,0 @@
-.\"	$NetBSD: delve.1,v 1.1.1.1 2014/02/28 17:40:05 christos Exp $
-.\"
-.\" Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" Id
-.\"
-.hy 0
-.ad l
-.\"     Title: delve
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 21, 2014
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DELVE" "1" "February 21, 2014" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-delve \- DNS lookup and validation utility
-.SH "SYNOPSIS"
-.HP 6
-\fBdelve\fR [@server] [\fB\-4\fR] [\fB\-6\fR] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
-.HP 6
-\fBdelve\fR [\fB\-h\fR]
-.HP 6
-\fBdelve\fR [\fB\-v\fR]
-.HP 6
-\fBdelve\fR [queryopt...] [query...]
-.SH "DESCRIPTION"
-.PP
-\fBdelve\fR
-(Domain Entity Lookup & Validation Engine) is a tool for sending DNS queries and validating the results, using the the same internal resolver and validator logic as
-\fBnamed\fR.
-.PP
-\fBdelve\fR
-will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
-.PP
-By default, responses are validated using built\-in DNSSEC trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org"). Records returned by
-\fBdelve\fR
-are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because
-\fBdelve\fR
-does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
-.PP
-Unless it is told to query a specific name server,
-\fBdelve\fR
-will try each of the servers listed in
-\fI/etc/resolv.conf\fR. If no usable server addresses are found,
-\fBdelve\fR
-will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
-.PP
-When no command line arguments or options are given,
-\fBdelve\fR
-will perform an NS query for "." (the root zone).
-.SH "SIMPLE USAGE"
-.PP
-A typical invocation of
-\fBdelve\fR
-looks like:
-.sp
-.RS 4
-.nf
- delve @server name type 
-.fi
-.RE
-.sp
-where:
-.PP
-\fBserver\fR
-.RS 4
-is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdelve\fR
-resolves that name before querying that name server (note, however, that this initial lookup is
-\fInot\fR
-validated by DNSSEC).
-.sp
-If no
-\fIserver\fR
-argument is provided,
-\fBdelve\fR
-consults
-\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
-\fB\-4\fR
-or
-\fB\-6\fR
-options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
-\fBdelve\fR
-will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
-.RE
-.PP
-\fBname\fR
-.RS 4
-is the domain name to be looked up.
-.RE
-.PP
-\fBtype\fR
-.RS 4
-indicates what type of query is required \(em ANY, A, MX, etc.
-\fItype\fR
-can be any valid query type. If no
-\fItype\fR
-argument is supplied,
-\fBdelve\fR
-will perform a lookup for an A record.
-.RE
-.SH "OPTIONS"
-.PP
-\-a \fIanchor\-file\fR
-.RS 4
-Specifies a file from which to read DNSSEC trust anchors. The default is
-\fI/etc/bind.keys\fR, which is included with
-BIND
-9 and contains trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org").
-.sp
-Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
-\fB+dlv=NAME\fR
-or
-\fB+root=NAME\fR
-options.
-.sp
-Note: When reading the trust anchor file,
-\fBdelve\fR
-treats
-\fBmanaged\-keys\fR
-statements and
-\fBtrusted\-keys\fR
-statements identically. That is, for a managed key, it is the
-\fIinitial\fR
-key that is trusted; RFC 5011 key management is not supported.
-\fBdelve\fR
-will not consult the managed\-keys database maintained by
-\fBnamed\fR. This means that if either of the keys in
-\fI/etc/bind.keys\fR
-is revoked and rolled over, it will be necessary to update
-\fI/etc/bind.keys\fR
-to use DNSSEC validation in
-\fBdelve\fR.
-.RE
-.PP
-\-b \fIaddress\fR
-.RS 4
-Sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>"
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Sets the query class for the requested data. Currently, only class "IN" is supported in
-\fBdelve\fR
-and any other value is ignored.
-.RE
-.PP
-\-d \fIlevel\fR
-.RS 4
-Set the systemwide debug level to
-\fBlevel\fR. The allowed range is from 0 to 99. The default is 0 (no debugging). Debugging traces from
-\fBdelve\fR
-become more verbose as the debug level increases. See the
-\fB+mtrace\fR,
-\fB+rtrace\fR, and
-\fB+vtrace\fR
-options below for additional debugging details.
-.RE
-.PP
-\-h
-.RS 4
-Display the
-\fBdelve\fR
-help usage output and exit.
-.RE
-.PP
-\-i
-.RS 4
-Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
-\fBdelve\fR
-to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use
-\fBdig +cd\fR.)
-.RE
-.PP
-\-m
-.RS 4
-Enables memory usage debugging.
-.RE
-.PP
-\-p \fIport#\fR
-.RS 4
-Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number.
-.RE
-.PP
-\-q \fIname\fR
-.RS 4
-Sets the query name to
-\fIname\fR. While the query name can be specified without using the
-\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH).
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Sets the query type to
-\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with
-\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.
-.sp
-The default query type is "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup, in which case it is "PTR".
-.RE
-.PP
-\-v
-.RS 4
-Print the
-\fBdelve\fR
-version and exit.
-.RE
-.PP
-\-x \fIaddr\fR
-.RS 4
-Performs a reverse lookup, mapping an addresses to a name.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When
-\fB\-x\fR
-is used, there is no need to provide the
-\fIname\fR
-or
-\fItype\fR
-arguments.
-\fBdelve\fR
-automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
-.RE
-.PP
-\-4
-.RS 4
-Forces
-\fBdelve\fR
-to only use IPv4.
-.RE
-.PP
-\-6
-.RS 4
-Forces
-\fBdelve\fR
-to only use IPv6.
-.RE
-.SH "QUERY OPTIONS"
-.PP
-\fBdelve\fR
-provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
-no
-to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
-.PP
-\fB+[no]cdflag\fR
-.RS 4
-Controls whether to set the CD (checking disabled) bit in queries sent by
-\fBdelve\fR. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis. Setting the CD flag on queries will cause the resolver to return invalid responses, which
-\fBdelve\fR
-can then validate internally and report the errors in detail.
-.RE
-.PP
-\fB+[no]class\fR
-.RS 4
-Controls whether to display the CLASS when printing a record. The default is to display the CLASS.
-.RE
-.PP
-\fB+[no]ttl\fR
-.RS 4
-Controls whether to display the TTL when printing a record. The default is to display the TTL.
-.RE
-.PP
-\fB+[no]rtrace\fR
-.RS 4
-Toggle resolver fetch logging. This reports the name and type of each query sent by
-\fBdelve\fR
-in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.
-.sp
-This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the
-\fB\-d\fR
-option will product the same output (but will affect other logging categories as well).
-.RE
-.PP
-\fB+[no]mtrace\fR
-.RS 4
-Toggle message logging. This produces a detailed dump of the responses received by
-\fBdelve\fR
-in the process of carrying out the resolution and validation process.
-.sp
-This is equivalent to setting the debug level to 10 for the the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the
-\fB\-d\fR
-option will produce the same output (but will affect other logging categories as well).
-.RE
-.PP
-\fB+[no]vtrace\fR
-.RS 4
-Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.
-.sp
-This is equivalent to setting the debug level to 3 for the the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the
-\fB\-d\fR
-option will produce the same output (but will affect other logging categories as well).
-.RE
-.PP
-\fB+[no]short\fR
-.RS 4
-Provide a terse answer. The default is to print the answer in a verbose form.
-.RE
-.PP
-\fB+[no]comments\fR
-.RS 4
-Toggle the display of comment lines in the output. The default is to print comments.
-.RE
-.PP
-\fB+[no]rrcomments\fR
-.RS 4
-Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is to print per\-record comments.
-.RE
-.PP
-\fB+[no]crypto\fR
-.RS 4
-Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]".
-.RE
-.PP
-\fB+[no]trust\fR
-.RS 4
-Controls whether to display the trust level when printing a record. The default is to display the trust level.
-.RE
-.PP
-\fB+[no]split[=W]\fR
-.RS 4
-Split long hex\- or base64\-formatted fields in resource records into chunks of
-\fIW\fR
-characters (where
-\fIW\fR
-is rounded up to the nearest multiple of 4).
-\fI+nosplit\fR
-or
-\fI+split=0\fR
-causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
-.RE
-.PP
-\fB+[no]all\fR
-.RS 4
-Set or clear the display options
-\fB+[no]comments\fR,
-\fB+[no]rrcomments\fR, and
-\fB+[no]trust\fR
-as a group.
-.RE
-.PP
-\fB+[no]multiline\fR
-.RS 4
-Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdelve\fR
-output.
-.RE
-.PP
-\fB+[no]dnssec\fR
-.RS 4
-Indicates whether to display RRSIG records in the
-\fBdelve\fR
-output. The default is to do so. Note that (unlike in
-\fBdig\fR) this does
-\fInot\fR
-control whether to request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
-\fB\-i\fR
-or
-\fB+noroot\fR
-and
-\fB+nodlv\fR.
-.RE
-.PP
-\fB+[no]root[=ROOT]\fR
-.RS 4
-Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then
-\fB\-a\fR
-must be used to specify a file containing the key.
-.RE
-.PP
-\fB+[no]dlv[=DLV]\fR
-.RS 4
-Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor. The default is to perform lookaside validation using a trust anchor of "dlv.isc.org", for which there is a built\-in key. If specifying a different name, then
-\fB\-a\fR
-must be used to specify a file containing the DLV key.
-.RE
-.SH "FILES"
-.PP
-\fI/etc/bind.keys\fR
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBnamed\fR(8),
-RFC4034,
-RFC4035,
-RFC4431,
-RFC5074,
-RFC5155.
-.SH "COPYRIGHT"
-Copyright \(co 2014 Internet Systems Consortium, Inc. ("ISC")
-.br
--- a/external/bsd/bind/dist/bin/delve/delve.c	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1637 +0,0 @@
-/*	$NetBSD: delve.c,v 1.1.1.1 2014/02/28 17:40:05 christos Exp $	*/
-
-/*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <config.h>
-#include <bind.keys.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <signal.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <irs/resconf.h>
-#include <irs/netdb.h>
-
-#include <isccfg/log.h>
-#include <isccfg/namedconf.h>
-
-#include <dns/byaddr.h>
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/keytable.h>
-#include <dns/keyvalues.h>
-#include <dns/lib.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/view.h>
-
-#include <dst/dst.h>
-#include <dst/result.h>
-
-#define CHECK(r) \
-	do { \
-		result = (r); \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-
-#define MAXNAME (DNS_NAME_MAXTEXT+1)
-
-/* Variables used internally by delve. */
-char *progname;
-static isc_mem_t *mctx = NULL;
-static isc_log_t *lctx = NULL;
-
-/* Configurables */
-static char *server = NULL;
-static const char *port = "53";
-static isc_sockaddr_t *srcaddr4 = NULL, *srcaddr6 = NULL;
-static isc_sockaddr_t a4, a6;
-static char *curqname = NULL, *qname = NULL;
-static isc_boolean_t classset = ISC_FALSE;
-static dns_rdatatype_t qtype = dns_rdatatype_none;
-static isc_boolean_t typeset = ISC_FALSE;
-
-static unsigned int styleflags = 0;
-static isc_uint32_t splitwidth = 0xffffffff;
-static isc_boolean_t
-	showcomments = ISC_TRUE,
-	showdnssec = ISC_TRUE,
-	showtrust = ISC_TRUE,
-	rrcomments = ISC_TRUE,
-	noclass = ISC_FALSE,
-	nocrypto = ISC_FALSE,
-	nottl = ISC_FALSE,
-	multiline = ISC_FALSE,
-	short_form = ISC_FALSE;
-
-static isc_boolean_t
-	resolve_trace = ISC_FALSE,
-	validator_trace = ISC_FALSE,
-	message_trace = ISC_FALSE;
-
-static isc_boolean_t
-	use_ipv4 = ISC_TRUE,
-	use_ipv6 = ISC_TRUE;
-
-static isc_boolean_t
-	cdflag = ISC_FALSE,
-	no_sigs = ISC_FALSE,
-	root_validation = ISC_TRUE,
-	dlv_validation = ISC_TRUE;
-
-static char *anchorfile = NULL;
-static char *trust_anchor = NULL;
-static char *dlv_anchor = NULL;
-static int trusted_keys = 0;
-
-static dns_fixedname_t afn, dfn;
-static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
-
-/* Default bind.keys contents */
-static char anchortext[] = MANAGED_KEYS;
-
-/*
- * Static function prototypes
- */
-static isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict);
-
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc);
-
-static void
-usage(void) {
-	fputs(
-"Usage:  delve [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]\n"
-"Where:  domain	  is in the Domain Name System\n"
-"        q-class  is one of (in,hs,ch,...) [default: in]\n"
-"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
-"        q-opt    is one of:\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
-"                 -d level            (set debugging level)\n"
-"                 -a anchor-file      (specify root and dlv trust anchors)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
-"                 -p port             (specify port number)\n"
-"                 -q name             (specify query name)\n"
-"                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -i                  (disable DNSSEC validation)\n"
-"                 -m                  (enable memory usage debugging)\n"
-"        d-opt    is of the form +keyword[=value], where keyword is:\n"
-"                 +[no]all            (Set or clear all display flags)\n"
-"                 +[no]class          (Control display of class)\n"
-"                 +[no]crypto         (Control display of cryptographic\n"
-"                                      fields in records)\n"
-"                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]comments       (Control display of comment lines)\n"
-"                 +[no]rrcomments     (Control display of per-record "
-				       "comments)\n"
-"                 +[no]short          (Short form answer)\n"
-"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
-"                 +[no]ttl            (Control display of ttls in records)\n"
-"                 +[no]trust          (Control display of trust level)\n"
-"                 +[no]rtrace         (Trace resolver fetches)\n"
-"                 +[no]mtrace         (Trace messages received)\n"
-"                 +[no]vtrace         (Trace validation process)\n"
-"                 +[no]dlv            (DNSSEC lookaside validation anchor)\n"
-"                 +[no]root           (DNSSEC validation trust anchor)\n"
-"                 +[no]dnssec         (Display DNSSEC records)\n"
-"        -h                           (print help and exit)\n"
-"        -v                           (print version and exit)\n",
-	stderr);
-	exit(1);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-static void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fflush(stdout);
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
-
-static void
-warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-warn(const char *format, ...) {
-	va_list args;
-
-	fflush(stdout);
-	fprintf(stderr, "%s: warning: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-}
-
-static isc_logcategory_t categories[] = {
-	{ "delve",	     0 },
-	{ NULL,		     0 }
-};
-#define LOGCATEGORY_DEFAULT		(&categories[0])
-#define LOGMODULE_DEFAULT		(&modules[0])
-
-static isc_logmodule_t modules[] = {
-	{ "delve",	 		0 },
-	{ NULL, 			0 }
-};
-
-static void
-delve_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-
-static void
-delve_log(int level, const char *fmt, ...) {
-	va_list ap;
-	char msgbuf[2048];
-
-	if (! isc_log_wouldlog(lctx, level))
-		return;
-
-	va_start(ap, fmt);
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	isc_log_write(lctx, LOGCATEGORY_DEFAULT, LOGMODULE_DEFAULT,
-		      level, "%s", msgbuf);
-	va_end(ap);
-}
-
-static int loglevel = 0;
-
-static void
-setup_logging(FILE *errout) {
-	isc_result_t result;
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-
-	result = isc_log_create(mctx, &lctx, &logconfig);
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't set up logging");
-
-	isc_log_registercategories(lctx, categories);
-	isc_log_registermodules(lctx, modules);
-	isc_log_setcontext(lctx);
-	dns_log_init(lctx);
-	dns_log_setcontext(lctx);
-	cfg_log_init(lctx);
-
-	destination.file.stream = errout;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-
-	result = isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC, ISC_LOG_DYNAMIC,
-				       &destination, ISC_LOG_PRINTPREFIX);
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't set up log channel 'stderr'");
-
-	isc_log_setdebuglevel(lctx, loglevel);
-
-	result = isc_log_settag(logconfig, ";; ");
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't set log tag");
-
-	result = isc_log_usechannel(logconfig, "stderr",
-				    ISC_LOGCATEGORY_DEFAULT, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't attach to log channel 'stderr'");
-
-	if (resolve_trace && loglevel < 1) {
-		result = isc_log_createchannel(logconfig, "resolver",
-					       ISC_LOG_TOFILEDESC,
-					       ISC_LOG_DEBUG(1),
-					       &destination,
-					       ISC_LOG_PRINTPREFIX);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't set up log channel 'resolver'");
-
-		result = isc_log_usechannel(logconfig, "resolver",
-					    DNS_LOGCATEGORY_RESOLVER,
-					    DNS_LOGMODULE_RESOLVER);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't attach to log channel 'resolver'");
-	}
-
-	if (validator_trace && loglevel < 3) {
-		result = isc_log_createchannel(logconfig, "validator",
-					       ISC_LOG_TOFILEDESC,
-					       ISC_LOG_DEBUG(3),
-					       &destination,
-					       ISC_LOG_PRINTPREFIX);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't set up log channel 'validator'");
-
-		result = isc_log_usechannel(logconfig, "validator",
-					    DNS_LOGCATEGORY_DNSSEC,
-					    DNS_LOGMODULE_VALIDATOR);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't attach to log channel 'validator'");
-	}
-
-	if (message_trace && loglevel < 10) {
-		result = isc_log_createchannel(logconfig, "messages",
-					       ISC_LOG_TOFILEDESC,
-					       ISC_LOG_DEBUG(10),
-					       &destination,
-					       ISC_LOG_PRINTPREFIX);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't set up log channel 'messages'");
-
-		result = isc_log_usechannel(logconfig, "messages",
-					    DNS_LOGCATEGORY_RESOLVER,
-					    DNS_LOGMODULE_PACKETS);
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't attach to log channel 'messagse'");
-	}
-}
-
-static void
-print_status(dns_rdataset_t *rdataset) {
-	const char *astr = "", *tstr = "";
-
-	REQUIRE(rdataset != NULL);
-
-	if (!showtrust || !dns_rdataset_isassociated(rdataset))
-		return;
-
-	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-		astr = "negative response, ";
-
-	switch (rdataset->trust) {
-	case dns_trust_none:
-		tstr = "untrusted";
-		break;
-	case dns_trust_pending_additional:
-		tstr = "signed additional data, pending validation";
-		break;
-	case dns_trust_pending_answer:
-		tstr = "signed answer, pending validation";
-		break;
-	case dns_trust_additional:
-		tstr = "unsigned additional data";
-		break;
-	case dns_trust_glue:
-		tstr = "glue data";
-		break;
-	case dns_trust_answer:
-		if (root_validation || dlv_validation)
-			tstr = "unsigned answer";
-		else
-			tstr = "answer not validated";
-		break;
-	case dns_trust_authauthority:
-		tstr = "authority data";
-		break;
-	case dns_trust_authanswer:
-		tstr = "authoritative";
-		break;
-	case dns_trust_secure:
-		tstr = "fully validated";
-		break;
-	case dns_trust_ultimate:
-		tstr = "ultimate trust";
-		break;
-	}
-
-	printf("; %s%s\n", astr, tstr);
-}
-
-static isc_result_t
-printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
-	  dns_master_style_t *style)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	static dns_trust_t trust;
-	static isc_boolean_t first = ISC_TRUE;
-	isc_buffer_t target;
-	isc_region_t r;
-	char *t = NULL;
-	int len = 2048;
-
-	if (!dns_rdataset_isassociated(rdataset)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(owner, namebuf, sizeof(namebuf));
-		delve_log(ISC_LOG_DEBUG(4),
-			  "WARN: empty rdataset %s", namebuf);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (!showdnssec && rdataset->type == dns_rdatatype_rrsig)
-		return (ISC_R_SUCCESS);
-
-	if (first || rdataset->trust != trust) {
-		if (!first && showtrust && !short_form)
-			putchar('\n');
-		print_status(rdataset);
-		trust = rdataset->trust;
-		first = ISC_FALSE;
-	}
-
-	do {
-		t = isc_mem_get(mctx, len);
-		if (t == NULL)
-			return (ISC_R_NOMEMORY);
-
-		isc_buffer_init(&target, t, len);
-		if (short_form) {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset))
-			{
-				isc_region_t r;
-
-				if ((rdataset->attributes &
-				     DNS_RDATASETATTR_NEGATIVE) != 0)
-					continue;
-
-				dns_rdataset_current(rdataset, &rdata);
-				result = dns_rdata_tofmttext(&rdata,
-							     dns_rootname,
-							     styleflags,
-							     0, 60, " ",
-							     &target);
-				if (result != ISC_R_SUCCESS)
-					break;
-
-				isc_buffer_availableregion(&target, &r);
-				if (r.length < 1) {
-					result = ISC_R_NOSPACE;
-					break;
-				}
-
-				r.base[0] = '\n';
-				isc_buffer_add(&target, 1);
-
-				dns_rdata_reset(&rdata);
-			}
-		} else {
-			if ((rdataset->attributes &
-			     DNS_RDATASETATTR_NEGATIVE) != 0)
-				isc_buffer_putstr(&target, "; ");
-
-			result = dns_master_rdatasettotext(owner, rdataset,
-							   style, &target);
-		}
-
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(mctx, t, len);
-			len += 1024;
-		} else if (result == ISC_R_NOMORE)
-			result = ISC_R_SUCCESS;
-		else
-			CHECK(result);
-	} while (result == ISC_R_NOSPACE);
-
-	isc_buffer_usedregion(&target, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
- cleanup:
-	if (t != NULL)
-		isc_mem_put(mctx, t, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-setup_style(dns_master_style_t **stylep) {
-	isc_result_t result;
-	dns_master_style_t *style = NULL;
-
-	REQUIRE(stylep != NULL || *stylep == NULL);
-
-	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (showcomments)
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-	if (rrcomments)
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-	if (nottl)
-		styleflags |= DNS_STYLEFLAG_NO_TTL;
-	if (noclass)
-		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (nocrypto)
-		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-	if (multiline) {
-		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-	}
-
-	if (multiline || (nottl && noclass))
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 24, 24, 32, 80, 8,
-						 splitwidth, mctx);
-	else if (nottl || noclass)
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 24, 32, 40, 80, 8,
-						 splitwidth, mctx);
-	else
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 32, 40, 48, 80, 8,
-						 splitwidth, mctx);
-
-	if (result == ISC_R_SUCCESS)
-		*stylep = style;
-	return (result);
-}
-
-static isc_result_t
-convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_name_t *n;
-	size_t len;
-
-	REQUIRE(fn != NULL && name != NULL && text != NULL);
-	len = strlen(text);
-
-	isc_buffer_constinit(&b, text, len);
-	isc_buffer_add(&b, len);
-	dns_fixedname_init(fn);
-	n = dns_fixedname_name(fn);
-
-	result = dns_name_fromtext(n, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		delve_log(ISC_LOG_ERROR, "failed to convert QNAME %s: %s",
-			  text, isc_result_totext(result));
-		return (result);
-	}
-
-	*name = n;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
-	dns_rdata_dnskey_t keystruct;
-	isc_uint32_t flags, proto, alg;
-	const char *keystr, *keynamestr;
-	unsigned char keydata[4096];
-	isc_buffer_t keydatabuf;
-	unsigned char rrdata[4096];
-	isc_buffer_t rrdatabuf;
-	isc_region_t r;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	isc_result_t result;
-	isc_boolean_t match_root, match_dlv;
-
-	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
-	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
-
-	if (!root_validation && !dlv_validation)
-		return (ISC_R_SUCCESS);
-
-	match_root = dns_name_equal(keyname, anchor_name);
-	match_dlv = dns_name_equal(keyname, dlv_name);
-
-	if (!match_root && !match_dlv)
-		return (ISC_R_SUCCESS);
-	if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
-		return (ISC_R_SUCCESS);
-
-	if (match_root)
-		delve_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
-			  trust_anchor);
-	if (match_dlv)
-		delve_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
-			  dlv_anchor);
-
-	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
-	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
-	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
-
-	keystruct.common.rdclass = dns_rdataclass_in;
-	keystruct.common.rdtype = dns_rdatatype_dnskey;
-	/*
-	 * The key data in keystruct is not dynamically allocated.
-	 */
-	keystruct.mctx = NULL;
-
-	ISC_LINK_INIT(&keystruct.common, link);
-
-	if (flags > 0xffff)
-		CHECK(ISC_R_RANGE);
-	if (proto > 0xff)
-		CHECK(ISC_R_RANGE);
-	if (alg > 0xff)
-		CHECK(ISC_R_RANGE);
-
-	keystruct.flags = (isc_uint16_t)flags;
-	keystruct.protocol = (isc_uint8_t)proto;
-	keystruct.algorithm = (isc_uint8_t)alg;
-
-	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
-	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
-
-	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
-	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
-	isc_buffer_usedregion(&keydatabuf, &r);
-	keystruct.datalen = r.length;
-	keystruct.data = r.base;
-
-	CHECK(dns_rdata_fromstruct(NULL,
-				   keystruct.common.rdclass,
-				   keystruct.common.rdtype,
-				   &keystruct, &rrdatabuf));
-
-	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
-				       keyname, &rrdatabuf));
-	trusted_keys++;
-
- cleanup:
-	if (result == DST_R_NOCRYPTO)
-		cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support");
-	else if (result == DST_R_UNSUPPORTEDALG) {
-		cfg_obj_log(key, lctx, ISC_LOG_WARNING,
-			    "skipping trusted key '%s': %s",
-			    keynamestr, isc_result_totext(result));
-		result = ISC_R_SUCCESS;
-	} else if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(key, lctx, ISC_LOG_ERROR,
-			    "failed to add trusted key '%s': %s",
-			    keynamestr, isc_result_totext(result));
-		result = ISC_R_FAILURE;
-	}
-
-	return (result);
-}
-
-static isc_result_t
-load_keys(const cfg_obj_t *keys, dns_client_t *client) {
-	const cfg_listelt_t *elt, *elt2;
-	const cfg_obj_t *key, *keylist;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (elt = cfg_list_first(keys);
-	     elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
-		keylist = cfg_listelt_value(elt);
-
-		for (elt2 = cfg_list_first(keylist);
-		     elt2 != NULL;
-		     elt2 = cfg_list_next(elt2))
-		{
-			key = cfg_listelt_value(elt2);
-			CHECK(key_fromconfig(key, client));
-		}
-	}
-
- cleanup:
-	if (result == DST_R_NOCRYPTO)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_result_t
-setup_dnsseckeys(dns_client_t *client) {
-	isc_result_t result;
-	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *keys = NULL;
-	const cfg_obj_t *managed_keys = NULL;
-	cfg_obj_t *bindkeys = NULL;
-	const char *filename = anchorfile;
-
-	if (!root_validation && !dlv_validation)
-		return (ISC_R_SUCCESS);
-
-	if (filename == NULL)
-		filename = SYSCONFDIR "/bind.keys";
-
-	if (trust_anchor == NULL)
-		trust_anchor = isc_mem_strdup(mctx, ".");
-	if (dlv_anchor == NULL)
-		dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
-
-	CHECK(convert_name(&afn, &anchor_name, trust_anchor));
-	CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
-
-	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
-
-	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL)
-			fatal("Unable to read key file '%s'", anchorfile);
-	} else {
-		result = cfg_parse_file(parser, filename,
-					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS)
-			if (anchorfile != NULL)
-				fatal("Unable to load keys from '%s'",
-				      anchorfile);
-	}
-
-	if (bindkeys == NULL) {
-		isc_buffer_t b;
-
-		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
-		isc_buffer_add(&b, sizeof(anchortext) - 1);
-		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
-					  &bindkeys);
-		if (result != ISC_R_SUCCESS)
-			fatal("Unable to parse built-in keys");
-	}
-
-	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &keys);
-	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-
-	if (keys != NULL)
-		CHECK(load_keys(keys, client));
-	if (managed_keys != NULL)
-		CHECK(load_keys(managed_keys, client));
-	result = ISC_R_SUCCESS;
-
-	if (trusted_keys == 0)
-		fatal("No trusted keys were loaded");
-
-	if (dlv_validation)
-		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
-
- cleanup:
-	if (result != ISC_R_SUCCESS)
-		delve_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
-			  isc_result_totext(result));
-	return (result);
-}
-
-static isc_result_t
-addserver(dns_client_t *client) {
-	struct addrinfo hints, *res, *cur;
-	int gai_error;
-	struct in_addr in4;
-	struct in6_addr in6;
-	isc_sockaddr_t *sa;
-	isc_sockaddrlist_t servers;
-	isc_uint32_t destport;
-	isc_result_t result;
-	dns_name_t *name = NULL;
-
-	result = parse_uint(&destport, port, 0xffff, "port");
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't parse port number");
-
-	ISC_LIST_INIT(servers);
-
-	if (use_ipv4 && inet_pton(AF_INET, server, &in4) == 1) {
-		sa = isc_mem_get(mctx, sizeof(*sa));
-		if (sa == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(sa, link);
-		isc_sockaddr_fromin(sa, &in4, destport);
-		ISC_LIST_APPEND(servers, sa, link);
-	} else if (use_ipv6 && inet_pton(AF_INET6, server, &in6) == 1) {
-		sa = isc_mem_get(mctx, sizeof(*sa));
-		if (sa == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(sa, link);
-		isc_sockaddr_fromin6(sa, &in6, destport);
-		ISC_LIST_APPEND(servers, sa, link);
-	} else {
-		memset(&hints, 0, sizeof(hints));
-		if (!use_ipv6)
-			hints.ai_family = AF_INET;
-		else if (!use_ipv4)
-			hints.ai_family = AF_INET6;
-		else
-			hints.ai_family = AF_UNSPEC;
-		hints.ai_socktype = SOCK_DGRAM;
-		hints.ai_protocol = IPPROTO_UDP;
-		gai_error = getaddrinfo(server, port, &hints, &res);
-		if (gai_error != 0) {
-			delve_log(ISC_LOG_ERROR,
-				  "getaddrinfo failed: %s",
-				  gai_strerror(gai_error));
-			return (ISC_R_FAILURE);
-		}
-
-		result = ISC_R_SUCCESS;
-		for (cur = res; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET &&
-			    cur->ai_family != AF_INET6)
-				continue;
-			sa = isc_mem_get(mctx, sizeof(*sa));
-			if (sa == NULL) {
-				result = ISC_R_NOMEMORY;
-				break;
-			}
-			memset(sa, 0, sizeof(*sa));
-			ISC_LINK_INIT(sa, link);
-			memmove(&sa->type, cur->ai_addr, cur->ai_addrlen);
-			sa->length = cur->ai_addrlen;
-			ISC_LIST_APPEND(servers, sa, link);
-		}
-		freeaddrinfo(res);
-		CHECK(result);
-	}
-
-
-	CHECK(dns_client_setservers(client, dns_rdataclass_in, name, &servers));
-
- cleanup:
-	while (!ISC_LIST_EMPTY(servers)) {
-		sa = ISC_LIST_HEAD(servers);
-		ISC_LIST_UNLINK(servers, sa, link);
-		isc_mem_put(mctx, sa, sizeof(*sa));
-	}
-
-	if (result != ISC_R_SUCCESS)
-		delve_log(ISC_LOG_ERROR, "addserver: %s",
-			  isc_result_totext(result));
-
-	return (result);
-}
-
-static isc_result_t
-findserver(dns_client_t *client) {
-	isc_result_t result;
-	irs_resconf_t *resconf = NULL;
-	isc_sockaddrlist_t *nameservers;
-	isc_sockaddr_t *sa, *next;
-	isc_uint32_t destport;
-
-	result = parse_uint(&destport, port, 0xffff, "port");
-	if (result != ISC_R_SUCCESS)
-		fatal("Couldn't parse port number");
-
-	result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
-	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
-		delve_log(ISC_LOG_ERROR, "irs_resconf_load: %s",
-			  isc_result_totext(result));
-		goto cleanup;
-	}
-
-	/* Get nameservers from resolv.conf */
-	nameservers = irs_resconf_getnameservers(resconf);
-	for (sa = ISC_LIST_HEAD(*nameservers); sa != NULL; sa = next) {
-		next = ISC_LIST_NEXT(sa, link);
-
-		/* Set destination port */
-		if (sa->type.sa.sa_family == AF_INET && use_ipv4) {
-			sa->type.sin.sin_port = htons(destport);
-			continue;
-		}
-		if (sa->type.sa.sa_family == AF_INET6 && use_ipv6) {
-			sa->type.sin6.sin6_port = htons(destport);
-			continue;
-		}
-
-		/* Incompatible protocol family */
-		ISC_LIST_UNLINK(*nameservers, sa, link);
-		isc_mem_put(mctx, sa, sizeof(*sa));
-	}
-
-	/* None found, use localhost */
-	if (ISC_LIST_EMPTY(*nameservers)) {
-		if (use_ipv4) {
-			struct in_addr localhost;
-			localhost.s_addr = htonl(INADDR_LOOPBACK);
-			sa = isc_mem_get(mctx, sizeof(*sa));
-			if (sa == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			isc_sockaddr_fromin(sa, &localhost, destport);
-
-			ISC_LINK_INIT(sa, link);
-			ISC_LIST_APPEND(*nameservers, sa, link);
-		}
-
-		if (use_ipv6) {
-			sa = isc_mem_get(mctx, sizeof(*sa));
-			if (sa == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			isc_sockaddr_fromin6(sa, &in6addr_loopback, destport);
-
-			ISC_LINK_INIT(sa, link);
-			ISC_LIST_APPEND(*nameservers, sa, link);
-		}
-	}
-
-	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
-				       nameservers);
-	if (result != ISC_R_SUCCESS)
-		delve_log(ISC_LOG_ERROR, "dns_client_setservers: %s",
-			  isc_result_totext(result));
-
-cleanup:
-	if (resconf != NULL)
-		irs_resconf_destroy(&resconf);
-	return (result);
-}
-
-static char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
-	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
-	if (result == ISC_R_SUCCESS && n > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS) {
-		printf("invalid %s '%s': %s\n", desc,
-		       value, isc_result_totext(result));
-		return (result);
-	}
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-plus_option(char *option) {
-	isc_result_t result;
-	char option_store[256];
-	char *cmd, *value, *ptr;
-	isc_boolean_t state = ISC_TRUE;
-
-	strncpy(option_store, option, sizeof(option_store));
-	option_store[sizeof(option_store)-1]=0;
-	ptr = option_store;
-	cmd = next_token(&ptr,"=");
-	if (cmd == NULL) {
-		printf(";; Invalid option %s\n", option_store);
-		return;
-	}
-	value = ptr;
-	if (strncasecmp(cmd, "no", 2)==0) {
-		cmd += 2;
-		state = ISC_FALSE;
-	}
-
-#define FULLCHECK(A) \
-	do { \
-		size_t _l = strlen(cmd); \
-		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
-			goto invalid_option; \
-	} while (0)
-
-	switch (cmd[0]) {
-	case 'a': /* all */
-		FULLCHECK("all");
-		showcomments = state;
-		rrcomments = state;
-		showtrust = state;
-		break;
-	case 'c':
-		switch (cmd[1]) {
-		case 'd': /* cdflag */
-			FULLCHECK("cdflag");
-			cdflag = state;
-			break;
-		case 'l': /* class */
-			FULLCHECK("class");
-			noclass = ISC_TF(!state);
-			break;
-		case 'o': /* comments */
-			FULLCHECK("comments");
-			showcomments = state;
-			break;
-		case 'r': /* crypto */
-			FULLCHECK("crypto");
-			nocrypto = ISC_TF(!state);
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'd':
-		switch (cmd[1]) {
-		case 'l': /* dlv */
-			FULLCHECK("dlv");
-			if (state && no_sigs)
-				break;
-			dlv_validation = state;
-			if (value != NULL)
-				dlv_anchor = isc_mem_strdup(mctx, value);
-			break;
-		case 'n': /* dnssec */
-			FULLCHECK("dnssec");
-			showdnssec = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'm':
-		switch (cmd[1]) {
-		case 't': /* mtrace */
-			message_trace = state;
-			if (state)
-				resolve_trace = state;
-			break;
-		case 'u': /* multiline */
-			FULLCHECK("multiline");
-			multiline = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'r':
-		switch (cmd[1]) {
-		case 'o': /* root */
-			FULLCHECK("root");
-			if (state && no_sigs)
-				break;
-			root_validation = state;
-			if (value != NULL)
-				trust_anchor = isc_mem_strdup(mctx, value);
-			break;
-		case 'r': /* rrcomments */
-			FULLCHECK("rrcomments");
-			rrcomments = state;
-			break;
-		case 't': /* rtrace */
-			FULLCHECK("rtrace");
-			resolve_trace = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 's':
-		switch (cmd[1]) {
-		case 'h': /* short */
-			FULLCHECK("short");
-			short_form = state;
-			if (short_form) {
-				multiline = ISC_FALSE;
-				showcomments = ISC_FALSE;
-				showtrust = ISC_FALSE;
-				showdnssec = ISC_FALSE;
-			}
-			break;
-		case 'p': /* split */
-			FULLCHECK("split");
-			if (value != NULL && !state)
-				goto invalid_option;
-			if (!state) {
-				splitwidth = 0;
-				break;
-			} else if (value == NULL)
-				break;
-
-			result = parse_uint(&splitwidth, value,
-					    1023, "split");
-			if (splitwidth % 4 != 0) {
-				splitwidth = ((splitwidth + 3) / 4) * 4;
-				warn("split must be a multiple of 4; "
-				     "adjusting to %d", splitwidth);
-			}
-			/*
-			 * There is an adjustment done in the
-			 * totext_<rrtype>() functions which causes
-			 * splitwidth to shrink.  This is okay when we're
-			 * using the default width but incorrect in this
-			 * case, so we correct for it
-			 */
-			if (splitwidth)
-				splitwidth += 3;
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse split");
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 't':
-		switch (cmd[1]) {
-		case 'r': /* trust */
-			FULLCHECK("trust");
-			showtrust = state;
-			break;
-		case 't': /* ttl */
-			FULLCHECK("ttl");
-			nottl = ISC_TF(!state);
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'v': /* vtrace */
-		FULLCHECK("vtrace");
-		validator_trace = state;
-		if (state)
-			resolve_trace = state;
-		break;
-	default:
-	invalid_option:
-		/*
-		 * We can also add a "need_value:" case here if we ever
-		 * add a plus-option that requires a specified value
-		 */
-		fprintf(stderr, "Invalid option: +%s\n", option);
-		usage();
-	}
-	return;
-}
-
-/*
- * options: "46a:b:c:d:himp:q:t:vx:";
- */
-static const char *single_dash_opts = "46himv";
-static isc_boolean_t
-dash_option(char *option, char *next, isc_boolean_t *open_type_class) {
-	char opt, *value;
-	isc_result_t result;
-	isc_boolean_t value_from_next;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	char textname[MAXNAME];
-	struct in_addr in4;
-	struct in6_addr in6;
-	in_port_t srcport;
-	isc_uint32_t num;
-	char *hash;
-
-	while (strpbrk(option, single_dash_opts) == &option[0]) {
-		/*
-		 * Since the -[46himv] options do not take an argument,
-		 * account for them (in any number and/or combination)
-		 * if they appear as the first character(s) of a q-opt.
-		 */
-		opt = option[0];
-		switch (opt) {
-		case '4':
-			if (isc_net_probeipv4() != ISC_R_SUCCESS)
-				fatal("IPv4 networking not available");
-			if (use_ipv6) {
-				isc_net_disableipv6();
-				use_ipv6 = ISC_FALSE;
-			}
-			break;
-		case '6':
-			if (isc_net_probeipv6() != ISC_R_SUCCESS)
-				fatal("IPv6 networking not available");
-			if (use_ipv4) {
-				isc_net_disableipv4();
-				use_ipv4 = ISC_FALSE;
-			}
-			break;
-		case 'h':
-			usage();
-			exit(0);
-			/* NOTREACHED */
-		case 'i':
-			no_sigs = ISC_TRUE;
-			dlv_validation = ISC_FALSE;
-			root_validation = ISC_FALSE;
-			break;
-		case 'm':
-			/* handled in preparse_args() */
-			break;
-		case 'v':
-			fputs("delve " VERSION "\n", stderr);
-			exit(0);
-			/* NOTREACHED */
-		default:
-			INSIST(0);
-		}
-		if (strlen(option) > 1U)
-			option = &option[1];
-		else
-			return (ISC_FALSE);
-	}
-	opt = option[0];
-	if (strlen(option) > 1U) {
-		value_from_next = ISC_FALSE;
-		value = &option[1];
-	} else {
-		value_from_next = ISC_TRUE;
-		value = next;
-	}
-	if (value == NULL)
-		goto invalid_option;
-	switch (opt) {
-	case 'a':
-		anchorfile = isc_mem_strdup(mctx, value);
-		return (value_from_next);
-	case 'b':
-		hash = strchr(value, '#');
-		if (hash != NULL) {
-			result = parse_uint(&num, hash + 1, 0xffff, "port");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse port number");
-			srcport = num;
-			*hash = '\0';
-		} else
-			srcport = 0;
-
-		if (inet_pton(AF_INET, value, &in4) == 1) {
-			if (srcaddr4 != NULL)
-				fatal("Only one local address per family "
-				      "can be specified\n");
-			isc_sockaddr_fromin(&a4, &in4, srcport);
-			srcaddr4 = &a4;
-		} else if (inet_pton(AF_INET6, value, &in6) == 1) {
-			if (srcaddr6 != NULL)
-				fatal("Only one local address per family "
-				      "can be specified\n");
-			isc_sockaddr_fromin6(&a6, &in6, srcport);
-			srcaddr6 = &a6;
-		} else {
-			if (hash != NULL)
-				*hash = '#';
-			fatal("Invalid address %s", value);
-		}
-		if (hash != NULL)
-			*hash = '#';
-		return (value_from_next);
-	case 'c':
-		if (classset)
-			warn("extra query class");
-
-		*open_type_class = ISC_FALSE;
-		tr.base = value;
-		tr.length = strlen(value);
-		result = dns_rdataclass_fromtext(&rdclass,
-						 (isc_textregion_t *)&tr);
-		if (result == ISC_R_SUCCESS)
-			classset = ISC_TRUE;
-		else if (rdclass != dns_rdataclass_in)
-			warn("ignoring non-IN query class");
-		else
-			warn("ignoring invalid class");
-		return (value_from_next);
-	case 'd':
-		result = parse_uint(&num, value, 99, "debug level");
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't parse debug level");
-		loglevel = num;
-		return (value_from_next);
-	case 'p':
-		port = value;
-		return (value_from_next);
-	case 'q':
-		if (qname != NULL) {
-			warn("extra query name");
-			isc_mem_free(mctx, qname);
-		}
-		curqname = value;
-		return (value_from_next);
-	case 't':
-		*open_type_class = ISC_FALSE;
-		tr.base = value;
-		tr.length = strlen(value);
-		result = dns_rdatatype_fromtext(&rdtype,
-					(isc_textregion_t *)&tr);
-		if (result == ISC_R_SUCCESS) {
-			if (typeset)
-				warn("extra query type");
-			if (rdtype == dns_rdatatype_ixfr ||
-			    rdtype == dns_rdatatype_axfr)
-				fatal("Transfer not supported");
-			qtype = rdtype;
-			typeset = ISC_TRUE;
-		} else
-			warn("ignoring invalid type");
-		return (value_from_next);
-	case 'x':
-		result = get_reverse(textname, sizeof(textname), value,
-				     ISC_FALSE);
-		if (result == ISC_R_SUCCESS) {
-			if (curqname != NULL)
-				warn("extra query name");
-			curqname = isc_mem_strdup(mctx, textname);
-			if (typeset)
-				warn("extra query type");
-			qtype = dns_rdatatype_ptr;
-			typeset = ISC_TRUE;
-		} else {
-			fprintf(stderr, "Invalid IP address %s\n", value);
-			exit(1);
-		}
-		return (value_from_next);
-	invalid_option:
-	default:
-		fprintf(stderr, "Invalid option: -%s\n", option);
-		usage();
-	}
-	/* NOTREACHED */
-	return (ISC_FALSE);
-}
-
-/*
- * Check for -m first to determine whether to enable
- * memory debugging when setting up the memory context.
- */
-static void
-preparse_args(int argc, char **argv) {
-	char *option;
-
-	for (argc--, argv++; argc > 0; argc--, argv++) {
-		if (argv[0][0] != '-')
-			continue;
-		option = &argv[0][1];
-		while (strpbrk(option, single_dash_opts) == &option[0]) {
-			if (option[0] == 'm') {
-				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					ISC_MEM_DEBUGRECORD;
-				return;
-			}
-			option = &option[1];
-		}
-	}
-}
-
-/*
- * Argument parsing is based on dig, but simplified: only one
- * QNAME/QCLASS/QTYPE tuple can be specified, and options have
- * been removed that aren't applicable to delve. The interface
- * should be familiar to dig users, however.
- */
-static void
-parse_args(int argc, char **argv) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	isc_boolean_t open_type_class = ISC_TRUE;
-
-	for (; argc > 0; argc--, argv++) {
-		if (argv[0][0] == '@') {
-			server = &argv[0][1];
-		} else if (argv[0][0] == '+') {
-			plus_option(&argv[0][1]);
-		} else if (argv[0][0] == '-') {
-			if (argc <= 1) {
-				if (dash_option(&argv[0][1], NULL,
-						&open_type_class))
-				{
-					argc--;
-					argv++;
-				}
-			} else {
-				if (dash_option(&argv[0][1], argv[1],
-						&open_type_class))
-				{
-					argc--;
-					argv++;
-				}
-			}
-		} else {
-			/*
-			 * Anything which isn't an option
-			 */
-			if (open_type_class) {
-				tr.base = argv[0];
-				tr.length = strlen(argv[0]);
-				result = dns_rdatatype_fromtext(&rdtype,
-					(isc_textregion_t *)&tr);
-				if (result == ISC_R_SUCCESS) {
-					if (typeset)
-						warn("extra query type");
-					if (rdtype == dns_rdatatype_ixfr ||
-					    rdtype == dns_rdatatype_axfr)
-						fatal("Transfer not supported");
-					qtype = rdtype;
-					typeset = ISC_TRUE;
-					continue;
-				}
-				result = dns_rdataclass_fromtext(&rdclass,
-						     (isc_textregion_t *)&tr);
-				if (result == ISC_R_SUCCESS) {
-					if (classset)
-						warn("extra query class");
-					else if (rdclass != dns_rdataclass_in)
-						warn("ignoring non-IN "
-						     "query class");
-					continue;
-				}
-			}
-
-			if (curqname == NULL)
-				curqname = argv[0];
-		}
-	}
-
-	/*
-	 * If no qname or qtype specified, search for root/NS
-	 * If no qtype specified, use A
-	 */
-	if (!typeset)
-		qtype = dns_rdatatype_a;
-
-	if (curqname == NULL) {
-		qname = isc_mem_strdup(mctx, ".");
-		if (!typeset)
-			qtype = dns_rdatatype_ns;
-	} else
-		qname = isc_mem_strdup(mctx, curqname);
-}
-
-static isc_result_t
-append_str(const char *text, int len, char **p, char *end) {
-	if (len > end - *p)
-		return (ISC_R_NOSPACE);
-	memmove(*p, text, len);
-	*p += len;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-reverse_octets(const char *in, char **p, char *end) {
-	char *dot = strchr(in, '.');
-	int len;
-	if (dot != NULL) {
-		isc_result_t result;
-		result = reverse_octets(dot + 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = append_str(".", 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = (int)(dot - in);
-	} else
-		len = strlen(in);
-	return (append_str(in, len, p, end));
-}
-
-static isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict) {
-	int r;
-	isc_result_t result;
-	isc_netaddr_t addr;
-
-	addr.family = AF_INET6;
-	r = inet_pton(AF_INET6, value, &addr.type.in6);
-	if (r > 0) {
-		/* This is a valid IPv6 address. */
-		dns_fixedname_t fname;
-		dns_name_t *name;
-		unsigned int options = 0;
-
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		result = dns_byaddr_createptrname2(&addr, options, name);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_name_format(name, reverse, (unsigned int)len);
-		return (ISC_R_SUCCESS);
-	} else {
-		/*
-		 * Not a valid IPv6 address.  Assume IPv4.
-		 * If 'strict' is not set, construct the
-		 * in-addr.arpa name by blindly reversing
-		 * octets whether or not they look like integers,
-		 * so that this can be used for RFC2317 names
-		 * and such.
-		 */
-		char *p = reverse;
-		char *end = reverse + len;
-		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
-			return (DNS_R_BADDOTTEDQUAD);
-		result = reverse_octets(value, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = append_str(".in-addr.arpa.", 15, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (ISC_R_SUCCESS);
-	}
-}
-
-int
-main(int argc, char *argv[]) {
-	dns_client_t *client = NULL;
-	isc_result_t result;
-	dns_fixedname_t qfn;
-	dns_name_t *query_name, *response_name;
-	dns_rdataset_t *rdataset;
-	dns_namelist_t namelist;
-	unsigned int resopt;
-	isc_appctx_t *actx = NULL;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_socketmgr_t *socketmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-	dns_master_style_t *style = NULL;
-	struct sigaction sa;
-
-	preparse_args(argc, argv);
-	progname = argv[0];
-
-	argc -= optind;
-	argv += optind;
-
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_lib_init failed: %d", result);
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create mctx");
-
-	CHECK(isc_appctx_create(mctx, &actx));
-	CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
-	CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
-	CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));
-
-	parse_args(argc, argv);
-
-	CHECK(setup_style(&style));
-
-	setup_logging(stderr);
-
-	CHECK(isc_app_ctxstart(actx));
-
-	/* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */
-	memset(&sa, 0, sizeof(sa));
-	sa.sa_handler = SIG_DFL;
-	if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0)
-		fatal("Couldn't set up signal handler");
-
-	/* Create client */
-	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
-				     0, &client, srcaddr4, srcaddr6);
-	if (result != ISC_R_SUCCESS) {
-		delve_log(ISC_LOG_ERROR, "dns_client_create: %s",
-			  isc_result_totext(result));
-		goto cleanup;
-	}
-
-	/* Set the nameserver */
-	if (server != NULL)
-		addserver(client);
-	else
-		findserver(client);
-
-	CHECK(setup_dnsseckeys(client));
-
-	/* Construct QNAME */
-	convert_name(&qfn, &query_name, qname);
-
-	/* Set up resolution options */
-	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
-	if (no_sigs)
-		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
-	if (!root_validation && !dlv_validation)
-		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
-	if (cdflag)
-		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
-
-	/* Perform resolution */
-	ISC_LIST_INIT(namelist);
-	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
-				    qtype, resopt, &namelist);
-	if (result != ISC_R_SUCCESS)
-		delve_log(ISC_LOG_ERROR, "resolution failed: %s",
-			  isc_result_totext(result));
-
-	for (response_name = ISC_LIST_HEAD(namelist);
-	     response_name != NULL;
-	     response_name = ISC_LIST_NEXT(response_name, link)) {
-		for (rdataset = ISC_LIST_HEAD(response_name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			result = printdata(rdataset, response_name, style);
-			if (result != ISC_R_SUCCESS)
-				delve_log(ISC_LOG_ERROR, "print data failed");
-		}
-	}
-
-	dns_client_freeresanswer(client, &namelist);
-
-cleanup:
-	if (dlv_anchor != NULL)
-		isc_mem_free(mctx, dlv_anchor);
-	if (trust_anchor != NULL)
-		isc_mem_free(mctx, trust_anchor);
-	if (anchorfile != NULL)
-		isc_mem_free(mctx, anchorfile);
-	if (qname != NULL)
-		isc_mem_free(mctx, qname);
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-	if (client != NULL)
-		dns_client_destroy(&client);
-	if (taskmgr != NULL)
-		isc_taskmgr_destroy(&taskmgr);
-	if (timermgr != NULL)
-		isc_timermgr_destroy(&timermgr);
-	if (socketmgr != NULL)
-		isc_socketmgr_destroy(&socketmgr);
-	if (actx != NULL)
-		isc_appctx_destroy(&actx);
-	if (lctx != NULL)
-		isc_log_destroy(&lctx);
-	isc_mem_detach(&mctx);
-
-	dns_lib_shutdown();
-
-	return (0);
-}
--- a/external/bsd/bind/dist/bin/delve/delve.docbook	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,680 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<refentry id="man.delve">
-
-  <refentryinfo>
-    <date>February 21, 2014</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>delve</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>delve</refname>
-    <refpurpose>DNS lookup and validation utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2014</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>delve</command>
-      <arg choice="opt">@server</arg>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-      <arg><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
-      <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-i</option></arg>
-      <arg><option>-m</option></arg>
-      <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-      <arg choice="opt">name</arg>
-      <arg choice="opt">type</arg>
-      <arg choice="opt">class</arg>
-      <arg choice="opt" rep="repeat">queryopt</arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>delve</command>
-      <arg><option>-h</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>delve</command>
-      <arg><option>-v</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>delve</command>
-      <arg choice="opt" rep="repeat">queryopt</arg>
-      <arg choice="opt" rep="repeat">query</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>delve</command>
-      (Domain Entity Lookup &amp; Validation Engine) is a tool for sending
-      DNS queries and validating the results, using the the same internal
-      resolver and validator logic as <command>named</command>.
-    </para>
-    <para>
-      <command>delve</command> will send to a specified name server all
-      queries needed to fetch and validate the requested data; this
-      includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
-      to establish a chain of trust for DNSSEC validation.
-      It does not perform iterative resolution, but simulates the
-      behavior of a name server configured for DNSSEC validating and
-      forwarding.
-    </para>
-    <para>
-      By default, responses are validated using built-in DNSSEC trust
-      anchors for the root zone (".") and for the ISC DNSSEC lookaside
-      validation zone ("dlv.isc.org").  Records returned by
-      <command>delve</command> are either fully validated or
-      were not signed.  If validation fails, an explanation of
-      the failure is included in the output; the validation process
-      can be traced in detail.  Because <command>delve</command> does
-      not rely on an external server to carry out validation, it can
-      be used to check the validity of DNS responses in environments
-      where local name servers may not be trustworthy.
-    </para>
-    <para>
-      Unless it is told to query a specific name server,
-      <command>delve</command> will try each of the servers listed in
-      <filename>/etc/resolv.conf</filename>. If no usable server
-      addresses are found, <command>delve</command> will send
-      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-      for IPv6).
-    </para>
-    <para>
-      When no command line arguments or options are given,
-      <command>delve</command> will perform an NS query for "."
-      (the root zone).
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SIMPLE USAGE</title>
-
-    <para>
-      A typical invocation of <command>delve</command> looks like:
-      <programlisting> delve @server name type </programlisting>
-      where:
-
-      <variablelist>
-	<varlistentry>
-	  <term><constant>server</constant></term>
-	  <listitem>
-	    <para>
-	      is the name or IP address of the name server to query.  This
-	      can be an IPv4 address in dotted-decimal notation or an IPv6
-	      address in colon-delimited notation.  When the supplied
-	      <parameter>server</parameter> argument is a hostname,
-	      <command>delve</command> resolves that name before
-	      querying that name server (note, however, that this
-	      initial lookup is <emphasis>not</emphasis> validated
-	      by DNSSEC).
-	    </para>
-	    <para>
-	      If no <parameter>server</parameter> argument is
-	      provided, <command>delve</command> consults
-	      <filename>/etc/resolv.conf</filename>; if an
-	      address is found there, it queries the name server at
-	      that address. If either of the <option>-4</option> or
-	      <option>-6</option> options are in use, then
-	      only addresses for the corresponding transport
-	      will be tried.  If no usable addresses are found,
-	      <command>delve</command> will send queries to
-	      the localhost addresses (127.0.0.1 for IPv4,
-	      ::1 for IPv6).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><constant>name</constant></term>
-	  <listitem>
-	    <para>
-	      is the domain name to be looked up.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><constant>type</constant></term>
-	  <listitem>
-	    <para>
-	      indicates what type of query is required &mdash;
-	      ANY, A, MX, etc.
-	      <parameter>type</parameter> can be any valid query
-	      type.  If no
-	      <parameter>type</parameter> argument is supplied,
-	      <command>delve</command> will perform a lookup for an
-	      A record.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-      </variablelist>
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-    <variablelist>
-
-      <varlistentry>
-	<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a file from which to read DNSSEC trust anchors.
-	    The default is <filename>/etc/bind.keys</filename>, which
-	    is included with <acronym>BIND</acronym> 9 and contains
-	    trust anchors for the root zone (".") and for the ISC
-	    DNSSEC lookaside validation zone ("dlv.isc.org").
-	  </para>
-	  <para>
-	    Keys that do not match the root or DLV trust-anchor
-	    names are ignored; these key names can be overridden
-	    using the <option>+dlv=NAME</option> or
-	    <option>+root=NAME</option> options.
-	  </para>
-	  <para>
-	    Note: When reading the trust anchor file,
-	    <command>delve</command> treats <option>managed-keys</option>
-	    statements and <option>trusted-keys</option> statements
-	    identically.  That is, for a managed key, it is the
-	    <emphasis>initial</emphasis> key that is trusted; RFC 5011
-	    key management is not supported. <command>delve</command>
-	    will not consult the managed-keys database maintained by
-	    <command>named</command>. This means that if either of the
-	    keys in <filename>/etc/bind.keys</filename> is revoked
-	    and rolled over, it will be necessary to update
-	    <filename>/etc/bind.keys</filename> to use DNSSEC
-	    validation in <command>delve</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-b  <replaceable class="parameter">address</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the source IP address of the query to
-	    <parameter>address</parameter>.  This must be a valid address
-	    on one of the host's network interfaces or "0.0.0.0" or "::".
-	    An optional source port may be specified by appending
-	    "#&lt;port&gt;"
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query class for the requested data. Currently,
-	    only class "IN" is supported in <command>delve</command>
-	    and any other value is ignored.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-d <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	    Set the systemwide debug level to <option>level</option>.
-	    The allowed range is from 0 to 99.
-	    The default is 0 (no debugging).
-	    Debugging traces from <command>delve</command> become
-	    more verbose as the debug level increases.
-	    See the <option>+mtrace</option>, <option>+rtrace</option>,
-	    and <option>+vtrace</option> options below for additional
-	    debugging details.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Display the <command>delve</command> help usage output and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-i</term>
-	<listitem>
-	  <para>
-	    Insecure mode. This disables internal DNSSEC validation.
-	    (Note, however, this does not set the CD bit on upstream
-	    queries. If the server being queried is performing DNSSEC
-	    validation, then it will not return invalid data; this
-	    can cause <command>delve</command> to time out. When it
-	    is necessary to examine invalid data to debug a DNSSEC
-	    problem, use <command>dig +cd</command>.)
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-m</term>
-	<listitem>
-	  <para>
-	    Enables memory usage debugging.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-p <replaceable class="parameter">port#</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a destination port to use for queries instead of
-	    the standard DNS port number 53.  This option would be used
-	    with a name server that has been configured to listen
-	    for queries on a non-standard port number.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-q <replaceable class="parameter">name</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query name to <parameter>name</parameter>.
-	    While the query name can be specified without using the
-	    <option>-q</option>, it is sometimes necessary to disambiguate
-	    names from types or classes (for example, when looking up the
-	    name "ns", which could be misinterpreted as the type NS,
-	    or "ch", which could be misinterpreted as class CH).
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query type to <parameter>type</parameter>, which
-	    can be any valid query type supported in BIND 9 except
-	    for zone transfer types AXFR and IXFR. As with
-	    <option>-q</option>, this is useful to distinguish
-	    query name type or class when they are ambiguous.
-	    it is sometimes necessary to disambiguate names from types.
-	  </para>
-	  <para>
-	    The default query type is "A", unless the <option>-x</option>
-	    option is supplied to indicate a reverse lookup, in which case
-	    it is "PTR".
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-	    Print the <command>delve</command> version and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-x <replaceable class="parameter">addr</replaceable></term>
-	<listitem>
-	  <para>
-	    Performs a reverse lookup, mapping an addresses to
-	    a name.  <parameter>addr</parameter> is an IPv4 address in
-	    dotted-decimal notation, or a colon-delimited IPv6 address.
-	    When <option>-x</option> is used, there is no need to provide
-	    the <parameter>name</parameter> or <parameter>type</parameter>
-	    arguments.  <command>delve</command> automatically performs a
-	    lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
-	    and sets the query type to PTR.  IPv6 addresses are looked up
-	    using nibble format under the IP6.ARPA domain.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-4</term>
-	<listitem>
-	  <para>
-	    Forces <command>delve</command> to only use IPv4.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-6</term>
-	<listitem>
-	  <para>
-	    Forces <command>delve</command> to only use IPv6.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>QUERY OPTIONS</title>
-
-    <para><command>delve</command>
-      provides a number of query options which affect the way results are
-      displayed, and in some cases the way lookups are performed.
-    </para>
-
-    <para>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<literal>+</literal>).  Some keywords set or reset an
-      option.  These may be preceded by the string
-      <literal>no</literal> to negate the meaning of that keyword.
-      Other keywords assign values to options like the timeout interval.
-      They have the form <option>+keyword=value</option>.
-      The query options are:
-
-      <variablelist>
-	<varlistentry>
-	  <term><option>+[no]cdflag</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to set the CD (checking disabled) bit in
-	      queries sent by <command>delve</command>. This may be useful
-	      when troubleshooting DNSSEC problems from behind a validating
-	      resolver. A validating resolver will block invalid responses,
-	      making it difficult to retrieve them for analysis. Setting
-	      the CD flag on queries will cause the resolver to return
-	      invalid responses, which <command>delve</command> can then
-	      validate internally and report the errors in detail.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]class</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the CLASS when printing
-	      a record. The default is to display the CLASS.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]ttl</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the TTL when printing
-	      a record. The default is to display the TTL.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]rtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle resolver fetch logging. This reports the
-	      name and type of each query sent by <command>delve</command>
-	      in the process of carrying out the resolution and validation
-	      process: this includes including the original query and
-	      all subsequent queries to follow CNAMEs and to establish a
-	      chain of trust for DNSSEC validation.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 1 in
-	      the "resolver" logging category. Setting the systemwide
-	      debug level to 1 using the <option>-d</option> option will
-	      product the same output (but will affect other logging
-	      categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]mtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle message logging. This produces a detailed dump of
-	      the responses received by <command>delve</command> in the
-	      process of carrying out the resolution and validation process.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 10
-	      for the the "packets" module of the "resolver" logging
-	      category. Setting the systemwide debug level to 10 using
-	      the <option>-d</option> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]vtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle validation logging. This shows the internal
-	      process of the validator as it determines whether an
-	      answer is validly signed, unsigned, or invalid.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 3
-	      for the the "validator" module of the "dnssec" logging
-	      category. Setting the systemwide debug level to 3 using
-	      the <option>-d</option> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]short</option></term>
-	  <listitem>
-	    <para>
-	      Provide a terse answer.  The default is to print the answer in a
-	      verbose form.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]comments</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of comment lines in the output.  The default
-	      is to print comments.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]rrcomments</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of per-record comments in the output (for
-	      example, human-readable key information about DNSKEY records).
-	      The default is to print per-record comments.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]crypto</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of cryptographic fields in DNSSEC records.
-	      The contents of these field are unnecessary to debug most DNSSEC
-	      validation failures and removing them makes it easier to see
-	      the common failures.  The default is to display the fields.
-	      When omitted they are replaced by the string "[omitted]" or
-	      in the DNSKEY case the key id is displayed as the replacement,
-	      e.g. "[ key id = value ]".
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]trust</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the trust level when printing
-	      a record. The default is to display the trust level.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]split[=W]</option></term>
-	  <listitem>
-	    <para>
-	      Split long hex- or base64-formatted fields in resource
-	      records into chunks of <parameter>W</parameter> characters
-	      (where <parameter>W</parameter> is rounded up to the nearest
-	      multiple of 4).
-	      <parameter>+nosplit</parameter> or
-	      <parameter>+split=0</parameter> causes fields not to be
-	      split at all.  The default is 56 characters, or 44 characters
-	      when multiline mode is active.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]all</option></term>
-	  <listitem>
-	    <para>
-	      Set or clear the display options
-	      <option>+[no]comments</option>, 
-	      <option>+[no]rrcomments</option>, and
-	      <option>+[no]trust</option> as a group.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]multiline</option></term>
-	  <listitem>
-	    <para>
-	      Print long records (such as RRSIG, DNSKEY, and SOA records)
-	      in a verbose multi-line format with human-readable comments.
-	      The default is to print each record on a single line, to
-	      facilitate machine parsing of the <command>delve</command>
-	      output.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]dnssec</option></term>
-	  <listitem>
-	    <para>
-	      Indicates whether to display RRSIG records in the
-	      <command>delve</command> output.  The default is to
-	      do so.  Note that (unlike in <command>dig</command>)
-	      this does <emphasis>not</emphasis> control whether to
-	      request DNSSEC records or whether to validate them.
-	      DNSSEC records are always requested, and validation
-	      will always occur unless suppressed by the use of
-	      <option>-i</option> or <option>+noroot</option> and
-	      <option>+nodlv</option>.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]root[=ROOT]</option></term>
-	  <listitem>
-	    <para>
-	      Indicates whether to perform conventional (non-lookaside)
-	      DNSSEC validation, and if so, specifies the
-	      name of a trust anchor.  The default is to validate using
-	      a trust anchor of "." (the root zone), for which there is
-	      a built-in key.  If specifying a different trust anchor,
-	      then <option>-a</option> must be used to specify a file
-	      containing the key.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]dlv[=DLV]</option></term>
-	  <listitem>
-	    <para>
-	      Indicates whether to perform DNSSEC lookaside validation,
-	      and if so, specifies the name of the DLV trust anchor.
-	      The default is to perform lookaside validation using
-	      a trust anchor of "dlv.isc.org", for which there is a
-	      built-in key.  If specifying a different name, then
-	      <option>-a</option> must be used to specify a file
-	      containing the DLV key.
-	    </para>
-	  </listitem>
-	</varlistentry>
-      </variablelist>
-
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/bind.keys</filename></para>
-    <para><filename>/etc/resolv.conf</filename></para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-	<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>RFC4034</citetitle>,
-      <citetitle>RFC4035</citetitle>,
-      <citetitle>RFC4431</citetitle>,
-      <citetitle>RFC5074</citetitle>,
-      <citetitle>RFC5155</citetitle>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
--- a/external/bsd/bind/dist/bin/delve/delve.html	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,466 +0,0 @@
-<!--
- - Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- Id -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>delve</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.delve"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>delve &#8212; DNS lookup and validation utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">delve</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delve</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delve</code>  [<code class="option">-v</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delve</code>  [queryopt...] [query...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">delve</strong></span>
-      (Domain Entity Lookup &amp; Validation Engine) is a tool for sending
-      DNS queries and validating the results, using the the same internal
-      resolver and validator logic as <span><strong class="command">named</strong></span>.
-    </p>
-<p>
-      <span><strong class="command">delve</strong></span> will send to a specified name server all
-      queries needed to fetch and validate the requested data; this
-      includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
-      to establish a chain of trust for DNSSEC validation.
-      It does not perform iterative resolution, but simulates the
-      behavior of a name server configured for DNSSEC validating and
-      forwarding.
-    </p>
-<p>
-      By default, responses are validated using built-in DNSSEC trust
-      anchors for the root zone (".") and for the ISC DNSSEC lookaside
-      validation zone ("dlv.isc.org").  Records returned by
-      <span><strong class="command">delve</strong></span> are either fully validated or
-      were not signed.  If validation fails, an explanation of
-      the failure is included in the output; the validation process
-      can be traced in detail.  Because <span><strong class="command">delve</strong></span> does
-      not rely on an external server to carry out validation, it can
-      be used to check the validity of DNS responses in environments
-      where local name servers may not be trustworthy.
-    </p>
-<p>
-      Unless it is told to query a specific name server,
-      <span><strong class="command">delve</strong></span> will try each of the servers listed in
-      <code class="filename">/etc/resolv.conf</code>. If no usable server
-      addresses are found, <span><strong class="command">delve</strong></span> will send
-      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-      for IPv6).
-    </p>
-<p>
-      When no command line arguments or options are given,
-      <span><strong class="command">delve</strong></span> will perform an NS query for "."
-      (the root zone).
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543542"></a><h2>SIMPLE USAGE</h2>
-<p>
-      A typical invocation of <span><strong class="command">delve</strong></span> looks like:
-      </p>
-<pre class="programlisting"> delve @server name type </pre>
-<p>
-      where:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
-<p>
-	      is the name or IP address of the name server to query.  This
-	      can be an IPv4 address in dotted-decimal notation or an IPv6
-	      address in colon-delimited notation.  When the supplied
-	      <em class="parameter"><code>server</code></em> argument is a hostname,
-	      <span><strong class="command">delve</strong></span> resolves that name before
-	      querying that name server (note, however, that this
-	      initial lookup is <span class="emphasis"><em>not</em></span> validated
-	      by DNSSEC).
-	    </p>
-<p>
-	      If no <em class="parameter"><code>server</code></em> argument is
-	      provided, <span><strong class="command">delve</strong></span> consults
-	      <code class="filename">/etc/resolv.conf</code>; if an
-	      address is found there, it queries the name server at
-	      that address. If either of the <code class="option">-4</code> or
-	      <code class="option">-6</code> options are in use, then
-	      only addresses for the corresponding transport
-	      will be tried.  If no usable addresses are found,
-	      <span><strong class="command">delve</strong></span> will send queries to
-	      the localhost addresses (127.0.0.1 for IPv4,
-	      ::1 for IPv6).
-	    </p>
-</dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
-	      is the domain name to be looked up.
-	    </p></dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
-	      indicates what type of query is required &#8212;
-	      ANY, A, MX, etc.
-	      <em class="parameter"><code>type</code></em> can be any valid query
-	      type.  If no
-	      <em class="parameter"><code>type</code></em> argument is supplied,
-	      <span><strong class="command">delve</strong></span> will perform a lookup for an
-	      A record.
-	    </p></dd>
-</dl></div>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543651"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
-<dd>
-<p>
-	    Specifies a file from which to read DNSSEC trust anchors.
-	    The default is <code class="filename">/etc/bind.keys</code>, which
-	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
-	    trust anchors for the root zone (".") and for the ISC
-	    DNSSEC lookaside validation zone ("dlv.isc.org").
-	  </p>
-<p>
-	    Keys that do not match the root or DLV trust-anchor
-	    names are ignored; these key names can be overridden
-	    using the <code class="option">+dlv=NAME</code> or
-	    <code class="option">+root=NAME</code> options.
-	  </p>
-<p>
-	    Note: When reading the trust anchor file,
-	    <span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
-	    statements and <code class="option">trusted-keys</code> statements
-	    identically.  That is, for a managed key, it is the
-	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
-	    key management is not supported. <span><strong class="command">delve</strong></span>
-	    will not consult the managed-keys database maintained by
-	    <span><strong class="command">named</strong></span>. This means that if either of the
-	    keys in <code class="filename">/etc/bind.keys</code> is revoked
-	    and rolled over, it will be necessary to update
-	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
-	    validation in <span><strong class="command">delve</strong></span>.
-	  </p>
-</dd>
-<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
-	    Sets the source IP address of the query to
-	    <em class="parameter"><code>address</code></em>.  This must be a valid address
-	    on one of the host's network interfaces or "0.0.0.0" or "::".
-	    An optional source port may be specified by appending
-	    "#&lt;port&gt;"
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	    Sets the query class for the requested data. Currently,
-	    only class "IN" is supported in <span><strong class="command">delve</strong></span>
-	    and any other value is ignored.
-	  </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	    Set the systemwide debug level to <code class="option">level</code>.
-	    The allowed range is from 0 to 99.
-	    The default is 0 (no debugging).
-	    Debugging traces from <span><strong class="command">delve</strong></span> become
-	    more verbose as the debug level increases.
-	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
-	    and <code class="option">+vtrace</code> options below for additional
-	    debugging details.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Display the <span><strong class="command">delve</strong></span> help usage output and exit.
-	  </p></dd>
-<dt><span class="term">-i</span></dt>
-<dd><p>
-	    Insecure mode. This disables internal DNSSEC validation.
-	    (Note, however, this does not set the CD bit on upstream
-	    queries. If the server being queried is performing DNSSEC
-	    validation, then it will not return invalid data; this
-	    can cause <span><strong class="command">delve</strong></span> to time out. When it
-	    is necessary to examine invalid data to debug a DNSSEC
-	    problem, use <span><strong class="command">dig +cd</strong></span>.)
-	  </p></dd>
-<dt><span class="term">-m</span></dt>
-<dd><p>
-	    Enables memory usage debugging.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd><p>
-	    Specifies a destination port to use for queries instead of
-	    the standard DNS port number 53.  This option would be used
-	    with a name server that has been configured to listen
-	    for queries on a non-standard port number.
-	  </p></dd>
-<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-	    Sets the query name to <em class="parameter"><code>name</code></em>.
-	    While the query name can be specified without using the
-	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
-	    names from types or classes (for example, when looking up the
-	    name "ns", which could be misinterpreted as the type NS,
-	    or "ch", which could be misinterpreted as class CH).
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-<p>
-	    Sets the query type to <em class="parameter"><code>type</code></em>, which
-	    can be any valid query type supported in BIND 9 except
-	    for zone transfer types AXFR and IXFR. As with
-	    <code class="option">-q</code>, this is useful to distinguish
-	    query name type or class when they are ambiguous.
-	    it is sometimes necessary to disambiguate names from types.
-	  </p>
-<p>
-	    The default query type is "A", unless the <code class="option">-x</code>
-	    option is supplied to indicate a reverse lookup, in which case
-	    it is "PTR".
-	  </p>
-</dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-	    Print the <span><strong class="command">delve</strong></span> version and exit.
-	  </p></dd>
-<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd><p>
-	    Performs a reverse lookup, mapping an addresses to
-	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
-	    dotted-decimal notation, or a colon-delimited IPv6 address.
-	    When <code class="option">-x</code> is used, there is no need to provide
-	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
-	    arguments.  <span><strong class="command">delve</strong></span> automatically performs a
-	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
-	    and sets the query type to PTR.  IPv6 addresses are looked up
-	    using nibble format under the IP6.ARPA domain.
-	  </p></dd>
-<dt><span class="term">-4</span></dt>
-<dd><p>
-	    Forces <span><strong class="command">delve</strong></span> to only use IPv4.
-	  </p></dd>
-<dt><span class="term">-6</span></dt>
-<dd><p>
-	    Forces <span><strong class="command">delve</strong></span> to only use IPv6.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544151"></a><h2>QUERY OPTIONS</h2>
-<p><span><strong class="command">delve</strong></span>
-      provides a number of query options which affect the way results are
-      displayed, and in some cases the way lookups are performed.
-    </p>
-<p>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<code class="literal">+</code>).  Some keywords set or reset an
-      option.  These may be preceded by the string
-      <code class="literal">no</code> to negate the meaning of that keyword.
-      Other keywords assign values to options like the timeout interval.
-      They have the form <code class="option">+keyword=value</code>.
-      The query options are:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
-	      Controls whether to set the CD (checking disabled) bit in
-	      queries sent by <span><strong class="command">delve</strong></span>. This may be useful
-	      when troubleshooting DNSSEC problems from behind a validating
-	      resolver. A validating resolver will block invalid responses,
-	      making it difficult to retrieve them for analysis. Setting
-	      the CD flag on queries will cause the resolver to return
-	      invalid responses, which <span><strong class="command">delve</strong></span> can then
-	      validate internally and report the errors in detail.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd><p>
-	      Controls whether to display the CLASS when printing
-	      a record. The default is to display the CLASS.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd><p>
-	      Controls whether to display the TTL when printing
-	      a record. The default is to display the TTL.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
-<dd>
-<p>
-	      Toggle resolver fetch logging. This reports the
-	      name and type of each query sent by <span><strong class="command">delve</strong></span>
-	      in the process of carrying out the resolution and validation
-	      process: this includes including the original query and
-	      all subsequent queries to follow CNAMEs and to establish a
-	      chain of trust for DNSSEC validation.
-	    </p>
-<p>
-	      This is equivalent to setting the debug level to 1 in
-	      the "resolver" logging category. Setting the systemwide
-	      debug level to 1 using the <code class="option">-d</code> option will
-	      product the same output (but will affect other logging
-	      categories as well).
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
-<dd>
-<p>
-	      Toggle message logging. This produces a detailed dump of
-	      the responses received by <span><strong class="command">delve</strong></span> in the
-	      process of carrying out the resolution and validation process.
-	    </p>
-<p>
-	      This is equivalent to setting the debug level to 10
-	      for the the "packets" module of the "resolver" logging
-	      category. Setting the systemwide debug level to 10 using
-	      the <code class="option">-d</code> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
-<dd>
-<p>
-	      Toggle validation logging. This shows the internal
-	      process of the validator as it determines whether an
-	      answer is validly signed, unsigned, or invalid.
-	    </p>
-<p>
-	      This is equivalent to setting the debug level to 3
-	      for the the "validator" module of the "dnssec" logging
-	      category. Setting the systemwide debug level to 3 using
-	      the <code class="option">-d</code> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
-	      Provide a terse answer.  The default is to print the answer in a
-	      verbose form.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
-	      Toggle the display of comment lines in the output.  The default
-	      is to print comments.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd><p>
-	      Toggle the display of per-record comments in the output (for
-	      example, human-readable key information about DNSKEY records).
-	      The default is to print per-record comments.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd><p>
-	      Toggle the display of cryptographic fields in DNSSEC records.
-	      The contents of these field are unnecessary to debug most DNSSEC
-	      validation failures and removing them makes it easier to see
-	      the common failures.  The default is to display the fields.
-	      When omitted they are replaced by the string "[omitted]" or
-	      in the DNSKEY case the key id is displayed as the replacement,
-	      e.g. "[ key id = value ]".
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd><p>
-	      Controls whether to display the trust level when printing
-	      a record. The default is to display the trust level.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd><p>
-	      Split long hex- or base64-formatted fields in resource
-	      records into chunks of <em class="parameter"><code>W</code></em> characters
-	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
-	      multiple of 4).
-	      <em class="parameter"><code>+nosplit</code></em> or
-	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
-	      split at all.  The default is 56 characters, or 44 characters
-	      when multiline mode is active.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
-	      Set or clear the display options
-	      <code class="option">+[no]comments</code>, 
-	      <code class="option">+[no]rrcomments</code>, and
-	      <code class="option">+[no]trust</code> as a group.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
-	      Print long records (such as RRSIG, DNSKEY, and SOA records)
-	      in a verbose multi-line format with human-readable comments.
-	      The default is to print each record on a single line, to
-	      facilitate machine parsing of the <span><strong class="command">delve</strong></span>
-	      output.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
-	      Indicates whether to display RRSIG records in the
-	      <span><strong class="command">delve</strong></span> output.  The default is to
-	      do so.  Note that (unlike in <span><strong class="command">dig</strong></span>)
-	      this does <span class="emphasis"><em>not</em></span> control whether to
-	      request DNSSEC records or whether to validate them.
-	      DNSSEC records are always requested, and validation
-	      will always occur unless suppressed by the use of
-	      <code class="option">-i</code> or <code class="option">+noroot</code> and
-	      <code class="option">+nodlv</code>.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd><p>
-	      Indicates whether to perform conventional (non-lookaside)
-	      DNSSEC validation, and if so, specifies the
-	      name of a trust anchor.  The default is to validate using
-	      a trust anchor of "." (the root zone), for which there is
-	      a built-in key.  If specifying a different trust anchor,
-	      then <code class="option">-a</code> must be used to specify a file
-	      containing the key.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
-<dd><p>
-	      Indicates whether to perform DNSSEC lookaside validation,
-	      and if so, specifies the name of the DLV trust anchor.
-	      The default is to perform lookaside validation using
-	      a trust anchor of "dlv.isc.org", for which there is a
-	      built-in key.  If specifying a different name, then
-	      <code class="option">-a</code> must be used to specify a file
-	      containing the DLV key.
-	    </p></dd>
-</dl></div>
-<p>
-
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544637"></a><h2>FILES</h2>
-<p><code class="filename">/etc/bind.keys</code></p>
-<p><code class="filename">/etc/resolv.conf</code></p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544652"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">RFC4034</em>,
-      <em class="citetitle">RFC4035</em>,
-      <em class="citetitle">RFC4431</em>,
-      <em class="citetitle">RFC5074</em>,
-      <em class="citetitle">RFC5155</em>.
-    </p>
-</div>
-</div></body>
-</html>
--- a/external/bsd/bind/dist/bin/dig/dig.1	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.1	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dig.1,v 1.7 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dig.1,v 1.8 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: dig
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
+.\"      Date: February 19, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DIG" "1" "June 30, 2000" "BIND9" "BIND9"
+.TH "DIG" "1" "February 19, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -35,7 +35,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
 .HP 4
 \fBdig\fR [\fB\-h\fR]
 .HP 4
@@ -192,6 +192,12 @@
 \fIname\fR
 from other arguments.
 .PP
+The
+\fB\-v\fR
+causes
+\fBdig\fR
+to print the version number and exit.
+.PP
 Reverse lookups \(em mapping addresses to names \(em are simplified by the
 \fB\-x\fR
 option.
--- a/external/bsd/bind/dist/bin/dig/dig.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dig.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dig.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -33,7 +33,6 @@
 #include <isc/string.h>
 #include <isc/util.h>
 #include <isc/task.h>
-#include <isc/timer.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
--- a/external/bsd/bind/dist/bin/dig/dighost.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/dighost.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dighost.c,v 1.12 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.13 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -813,6 +813,7 @@
 #ifdef ISC_PLATFORM_USESIT
 	looknew->sitvalue = NULL;
 #endif
+	dns_fixedname_init(&looknew->fdomain);
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->connecting);
@@ -901,6 +902,9 @@
 		memmove(looknew->ecs_addr, lookold->ecs_addr, len);
 	}
 
+	dns_name_copy(dns_fixedname_name(&lookold->fdomain),
+		      dns_fixedname_name(&looknew->fdomain), NULL);
+
 	if (servers)
 		clone_server_list(lookold->my_server_list,
 				  &looknew->my_server_list);
@@ -1885,7 +1889,6 @@
 				lookup->trace_root = ISC_FALSE;
 				if (lookup->ns_search_only)
 					lookup->recurse = ISC_FALSE;
-				dns_fixedname_init(&lookup->fdomain);
 				domain = dns_fixedname_name(&lookup->fdomain);
 				dns_name_copy(name, domain, NULL);
 			}
--- a/external/bsd/bind/dist/bin/dig/host.1	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/host.1	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: host.1,v 1.3 2012/06/05 00:38:53 christos Exp $
+.\"	$NetBSD: host.1,v 1.4 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -22,11 +22,11 @@
 .\"     Title: host
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
+.\"      Date: January 20, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.TH "HOST" "1" "January 20, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -35,7 +35,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 5
-\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -196,6 +196,12 @@
 \fIusage\fR
 and
 \fItrace\fR.
+.PP
+The
+\fB\-V\fR
+option causes
+\fBhost\fR
+to print the version number and exit.
 .SH "IDN SUPPORT"
 .PP
 If
@@ -215,7 +221,7 @@
 \fBdig\fR(1),
 \fBnamed\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/host.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/host.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: host.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: host.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: host.c,v 1.127 2011/03/11 06:11:20 marka Exp  */
-
 /*! \file */
 
 #include <config.h>
@@ -169,7 +167,8 @@
 "       -W specifies how long to wait for a reply\n"
 "       -4 use IPv4 query transport only\n"
 "       -6 use IPv6 query transport only\n"
-"       -m set memory debugging flag (trace|record|usage)\n", stderr);
+"       -m set memory debugging flag (trace|record|usage)\n"
+"       -v print version number and exit\n", stderr);
 	exit(1);
 }
 
@@ -606,7 +605,13 @@
 	return (result);
 }
 
-static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
+static const char * optstring = "46ac:dilnm:rst:vVwCDN:R:TW:";
+
+/*% version */
+static void
+version(void) {
+	fputs("host " VERSION "\n", stderr);
+}
 
 static void
 pre_parse_args(int argc, char **argv) {
@@ -638,6 +643,10 @@
 		case 's': break;
 		case 't': break;
 		case 'v': break;
+		case 'V':
+			  version();
+			  exit(0);
+			  break;
 		case 'w': break;
 		case 'C': break;
 		case 'D':
--- a/external/bsd/bind/dist/bin/dig/nslookup.1	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.1	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: nslookup.1,v 1.5 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: nslookup.1,v 1.6 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2007, 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -21,11 +21,11 @@
 .\"     Title: nslookup
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
+.\"      Date: January 24, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.TH "NSLOOKUP" "1" "January 24, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -63,6 +63,12 @@
 .fi
 .RE
 .sp
+.PP
+The
+\fB\-version\fR
+option causes
+\fBnslookup\fR
+to print the version number and immediately exits.
 .SH "INTERACTIVE COMMANDS"
 .PP
 \fBhost\fR [server]
--- a/external/bsd/bind/dist/bin/dig/nslookup.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: nslookup.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: nslookup.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: nslookup.c,v 1.130 2011/12/16 23:01:16 each Exp  */
-
 #include <config.h>
 
 #include <stdlib.h>
@@ -584,6 +582,11 @@
 }
 
 static void
+version(void) {
+	fputs("nslookup " VERSION "\n", stderr);
+}
+
+static void
 setoption(char *opt) {
 	if (strncasecmp(opt, "all", 4) == 0) {
 		show_settings(ISC_TRUE, ISC_FALSE);
@@ -807,9 +810,12 @@
 	for (argc--, argv++; argc > 0; argc--, argv++) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
-			if (argv[0][1] != 0)
+			if (strncasecmp(argv[0], "-ver", 4) == 0) {
+				version();
+				exit(0);
+			} else if (argv[0][1] != 0) {
 				setoption(&argv[0][1]);
-			else
+			} else
 				have_lookup = ISC_TRUE;
 		} else {
 			if (!have_lookup) {
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-dsfromkey.8,v 1.5 2012/12/04 23:38:38 spz Exp $
+.\"	$NetBSD: dnssec-dsfromkey.8,v 1.6 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -21,11 +21,11 @@
 .\"     Title: dnssec\-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: August 26, 2009
+.\"      Date: May 02, 2012
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "May 02, 2012" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -155,5 +155,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2008-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -51,6 +51,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -372,6 +376,9 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-importkey.8,v 1.2 2013/12/31 20:24:39 christos Exp $
+.\"	$NetBSD: dnssec-importkey.8,v 1.3 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -18,97 +18,100 @@
 .\"
 .hy 0
 .ad l
-'\" t
-.\"     Title: dnssec-importkey
-.\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: August 30, 2013
+.\"     Title: dnssec\-importkey
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: February 20, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
-.\"  Language: English
 .\"
-.TH "DNSSEC\-IMPORTKEY" "8" "August 30, 2013" "BIND9" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
+.TH "DNSSEC\-IMPORTKEY" "8" "February 20, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&.
+dnssec\-importkey \- Import DNSKEY records from external systems so they can be managed.
 .SH "SYNOPSIS"
 .HP 17
-\fBdnssec\-importkey\fR [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fBkeyname\fR]
+\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {\fBkeyfile\fR}
+.HP 17
+\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fBdnsname\fR]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-importkey\fR
-read a DNSKEY record and generated a \&.key/\&.private key pair\&. Publication (\fB\-P\fR) and deletions (\fB\-D\fR) times can be set for the key\&.
+reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file will be generated, or it may be read from any other file or from the standard input, in which case both .key and .private files will be generated.
+.PP
+The newly\-created .private file does
+\fInot\fR
+contain private key data, and cannot be used for signing. However, having a .private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline.
 .SH "OPTIONS"
 .PP
 \-f \fIfilename\fR
 .RS 4
-Filename to read the key from\&.
+Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
+\fBfile\fR. If the domain name is the same as
+\fBfile\fR, then it may be omitted.
+.sp
+If
+\fBfile\fR
+is set to
+"\-", then the zone data is read from the standard input.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to reside\&.
+Sets the directory in which the key files are to reside.
 .RE
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. importkey the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
 0
 or
 none
-removes it\&.
+removes it.
 .RE
 .PP
 \-h
 .RS 4
-Emit usage message and exit\&.
+Emit usage message and exit.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level\&.
+Sets the debugging level.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To unset a date, use \*(Aqnone\*(Aq\&.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
 .RE
+.SH "FILES"
+.PP
+A keyfile can be designed by the key identification
+\fIKnnnn.+aaa+iiiii\fR
+or the full file name
+\fIKnnnn.+aaa+iiiii.key\fR
+as generated by
+dnssec\-keygen(8).
 .SH "SEE ALSO"
 .PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-signzone\fR(8),
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 5011\&.
+RFC 5011.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
+Copyright \(co 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-importkey.c,v 1.3 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-importkey.c,v 1.4 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -49,6 +49,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -304,6 +308,9 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.7 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.8 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -21,11 +21,11 @@
 .\"     Title: dnssec\-keyfromlabel
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 8, 2008
+.\"      Date: February 27, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9"
+.TH "DNSSEC\-KEYFROMLABEL" "8" "February 27, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -34,11 +34,12 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
-gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by
+\fBdnssec\-keygen\fR, but the key material is stored within the HSM, and the actual signing takes place there.
 .PP
 The
 \fBname\fR
@@ -152,6 +153,11 @@
 Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
 .RE
 .PP
+\-S \fIkey\fR
+.RS 4
+Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+.RE
+.PP
 \-t \fItype\fR
 .RS 4
 Indicates the use of the key.
@@ -196,6 +202,15 @@
 .RS 4
 Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
 .RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+.RE
 .SH "GENERATED KEY FILES"
 .PP
 When
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.11 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.12 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2007-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -45,6 +45,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #define MAX_RSA 4096 /* should be long enough... */
@@ -110,6 +114,11 @@
 	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
 			" all dates\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+				      "key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+					   "successor key "
+					   "(default: 30 days)\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
@@ -122,6 +131,8 @@
 	char		*algname = NULL, *freeit = NULL;
 	char		*nametype = NULL, *type = NULL;
 	const char	*directory = NULL;
+	const char	*predecessor = NULL;
+	dst_key_t	*prevkey = NULL;
 #ifdef USE_PKCS11
 	const char	*engine = PKCS11_ENGINE;
 #else
@@ -151,6 +162,7 @@
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
+	int		prepub = -1;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
@@ -168,15 +180,17 @@
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
 
 	isc_stdtime_get(&now);
 
-	while ((ch = isc_commandline_parse(argc, argv,
-			"3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
-	{
+#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:y"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 	    switch (ch) {
 		case '3':
 			use_nsec3 = ISC_TRUE;
@@ -283,6 +297,12 @@
 					   now, now, &setdel);
 			unsetdel = !setdel;
 			break;
+		case 'S':
+			predecessor = isc_commandline_argument;
+			break;
+		case 'i':
+			prepub = strtottl(isc_commandline_argument);
+			break;
 		case 'F':
 			/* Reserved for FIPS mode */
 			/* FALLTHROUGH */
@@ -311,77 +331,190 @@
 
 	setup_logging(verbose, mctx, &log);
 
-	if (label == NULL)
-		fatal("the key label was not specified");
-	if (argc < isc_commandline_index + 1)
-		fatal("the key name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("extraneous arguments");
+	if (predecessor == NULL) {
+		if (label == NULL)
+			fatal("the key label was not specified");
+		if (argc < isc_commandline_index + 1)
+			fatal("the key name was not specified");
+		if (argc > isc_commandline_index + 1)
+			fatal("extraneous arguments");
+
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		isc_buffer_init(&buf, argv[isc_commandline_index],
+				strlen(argv[isc_commandline_index]));
+		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+		if (ret != ISC_R_SUCCESS)
+			fatal("invalid key name %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(ret));
 
-	if (strchr(label, ':') == NULL) {
-		char *l;
-		int len;
+		if (strchr(label, ':') == NULL) {
+			char *l;
+			int len;
+
+			len = strlen(label) + 8;
+			l = isc_mem_allocate(mctx, len);
+			if (l == NULL)
+				fatal("cannot allocate memory");
+			snprintf(l, len, "pkcs11:%s", label);
+			isc_mem_free(mctx, label);
+			label = l;
+		}
+
+		if (algname == NULL) {
+			if (use_nsec3)
+				algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+			else
+				algname = strdup(DEFAULT_ALGORITHM);
+			if (algname == NULL)
+				fatal("strdup failed");
+			freeit = algname;
+			if (verbose > 0)
+				fprintf(stderr, "no algorithm specified; "
+					"defaulting to %s\n", algname);
+		}
 
-		len = strlen(label) + 8;
-		l = isc_mem_allocate(mctx, len);
-		if (l == NULL)
-			fatal("cannot allocate memory");
-		snprintf(l, len, "pkcs11:%s", label);
-		isc_mem_free(mctx, label);
-		label = l;
-	}
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS)
+				fatal("unknown algorithm %s", algname);
+			if (alg == DST_ALG_DH)
+				options |= DST_TYPE_KEY;
+		}
 
-	if (algname == NULL) {
-		if (use_nsec3)
-			algname = strdup(DEFAULT_NSEC3_ALGORITHM);
-		else
-			algname = strdup(DEFAULT_ALGORITHM);
-		if (algname == NULL)
-			fatal("strdup failed");
-		freeit = algname;
-		if (verbose > 0)
-			fprintf(stderr, "no algorithm specified; "
-				"defaulting to %s\n", algname);
-	}
+		if (use_nsec3 &&
+		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+		    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
+		    alg != DST_ALG_ECCGOST &&
+		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+			fatal("%s is incompatible with NSEC3; "
+			      "do not use the -3 option", algname);
+		}
+
+		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+			if (strcasecmp(type, "NOAUTH") == 0)
+				flags |= DNS_KEYTYPE_NOAUTH;
+			else if (strcasecmp(type, "NOCONF") == 0)
+				flags |= DNS_KEYTYPE_NOCONF;
+			else if (strcasecmp(type, "NOAUTHCONF") == 0)
+				flags |= (DNS_KEYTYPE_NOAUTH |
+					  DNS_KEYTYPE_NOCONF);
+			else if (strcasecmp(type, "AUTHCONF") == 0)
+				/* nothing */;
+			else
+				fatal("invalid type %s", type);
+		}
+
+		if (!oldstyle && prepub > 0) {
+			if (setpub && setact && (activate - prepub) < publish)
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
 
-	if (strcasecmp(algname, "RSA") == 0) {
-		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
-				"If you still wish to use RSA (RSAMD5) please "
-				"specify \"-a RSAMD5\"\n");
-		if (freeit != NULL)
-			free(freeit);
-		return (1);
+			if (!setpub && !setact) {
+				setpub = setact = ISC_TRUE;
+				publish = now;
+				activate = now + prepub;
+			} else if (setpub && !setact) {
+				setact = ISC_TRUE;
+				activate = publish + prepub;
+			} else if (setact && !setpub) {
+				setpub = ISC_TRUE;
+				publish = activate - prepub;
+			}
+
+			if ((activate - prepub) < now)
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+		}
 	} else {
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS)
-			fatal("unknown algorithm %s", algname);
-		if (alg == DST_ALG_DH)
-			options |= DST_TYPE_KEY;
-	}
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t when;
+		int major, minor;
+
+		if (prepub == -1)
+			prepub = (30 * 86400);
+
+		if (algname != NULL)
+			fatal("-S and -a cannot be used together");
+		if (nametype != NULL)
+			fatal("-S and -n cannot be used together");
+		if (type != NULL)
+			fatal("-S and -t cannot be used together");
+		if (setpub || unsetpub)
+			fatal("-S and -P cannot be used together");
+		if (setact || unsetact)
+			fatal("-S and -A cannot be used together");
+		if (use_nsec3)
+			fatal("-S and -3 cannot be used together");
+		if (oldstyle)
+			fatal("-S and -C cannot be used together");
+		if (genonly)
+			fatal("-S and -G cannot be used together");
 
-	if (use_nsec3 &&
-	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
-	    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
-	    alg != DST_ALG_ECCGOST &&
-	    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
-		fatal("%s is incompatible with NSEC3; "
-		      "do not use the -3 option", algname);
-	}
+		ret = dst_key_fromnamedfile(predecessor, directory,
+					    DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+					    mctx, &prevkey);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Invalid keyfile %s: %s",
+			      predecessor, isc_result_totext(ret));
+		if (!dst_key_isprivate(prevkey))
+			fatal("%s is not a private key", predecessor);
+
+		name = dst_key_name(prevkey);
+		alg = dst_key_alg(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+			fatal("Key %s has incompatible format version %d.%d\n\t"
+			      "It is not possible to generate a successor key.",
+			      keystr, major, minor);
+
+		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Key %s has no activation date.\n\t"
+			      "You must use dnssec-settime -A to set one "
+			      "before generating a successor.", keystr);
 
-	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-		if (strcasecmp(type, "NOAUTH") == 0)
-			flags |= DNS_KEYTYPE_NOAUTH;
-		else if (strcasecmp(type, "NOCONF") == 0)
-			flags |= DNS_KEYTYPE_NOCONF;
-		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
-		}
-		else if (strcasecmp(type, "AUTHCONF") == 0)
-			/* nothing */;
-		else
-			fatal("invalid type %s", type);
+		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Key %s has no inactivation date.\n\t"
+			      "You must use dnssec-settime -I to set one "
+			      "before generating a successor.", keystr);
+
+		publish = activate - prepub;
+		if (publish < now)
+			fatal("Key %s becomes inactive\n\t"
+			      "sooner than the prepublication period "
+			      "for the new key ends.\n\t"
+			      "Either change the inactivation date with "
+			      "dnssec-settime -I,\n\t"
+			      "or use the -i option to set a shorter "
+			      "prepublication interval.", keystr);
+
+		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		if (ret != ISC_R_SUCCESS)
+			fprintf(stderr, "%s: WARNING: Key %s has no removal "
+					"date;\n\t it will remain in the zone "
+					"indefinitely after rollover.\n\t "
+					"You can use dnssec-settime -D to "
+					"change this.\n", program, keystr);
+
+		setpub = setact = ISC_TRUE;
 	}
 
 	if (nametype == NULL) {
@@ -429,16 +562,6 @@
 		fatal("a key with algorithm '%s' cannot be a zone key",
 		      algname);
 
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, argv[isc_commandline_index],
-			strlen(argv[isc_commandline_index]));
-	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	if (ret != ISC_R_SUCCESS)
-		fatal("invalid key name %s: %s", argv[isc_commandline_index],
-		      isc_result_totext(ret));
-
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
 	/* associate the key */
@@ -553,6 +676,8 @@
 		      isc_result_totext(ret));
 	printf("%s\n", filename);
 	dst_key_free(&key);
+	if (prevkey != NULL)
+		dst_key_free(&prevkey);
 
 	cleanup_logging(&log);
 	cleanup_entropy(&ectx);
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-keygen.8,v 1.6 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-keygen.8,v 1.7 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004, 2005, 2007-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: dnssec\-keygen
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
+.\"      Date: February 06, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
+.TH "DNSSEC\-KEYGEN" "8" "February 06, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.13 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.14 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Portions Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -60,6 +60,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #define MAX_RSA 4096 /* should be long enough... */
@@ -256,6 +260,9 @@
 	if (argc == 1)
 		usage();
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-revoke.8,v 1.4 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-revoke.8,v 1.5 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2009, 2011, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -21,11 +21,11 @@
 .\"     Title: dnssec\-revoke
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 1, 2009
+.\"      Date: January 15, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
+.TH "DNSSEC\-REVOKE" "8" "January 15, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-revoke.c,v 1.6 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-revoke.c,v 1.7 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2009-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -40,6 +40,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-revoke";
@@ -105,6 +109,9 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-settime.8,v 1.5 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-settime.8,v 1.6 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2009-2011, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -21,11 +21,11 @@
 .\"     Title: dnssec\-settime
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: July 15, 2009
+.\"      Date: February 06, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
+.TH "DNSSEC\-SETTIME" "8" "February 06, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-settime.c,v 1.9 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.10 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2009-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -43,6 +43,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-settime";
@@ -170,6 +174,9 @@
 
 	setup_logging(verbose, mctx, &log);
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-signzone.8,v 1.6 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-signzone.8,v 1.7 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: dnssec\-signzone
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 05, 2009
+.\"      Date: February 18, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
+.TH "DNSSEC\-SIGNZONE" "8" "February 18, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.12 2014/03/01 22:49:08 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.13 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Portions Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -88,6 +88,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -3138,6 +3142,9 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-verify.8,v 1.3 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: dnssec-verify.8,v 1.4 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
 .\"
@@ -21,11 +21,11 @@
 .\"     Title: dnssec\-verify
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: April 12, 2012
+.\"      Date: January 15, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-VERIFY" "8" "April 12, 2012" "BIND9" "BIND9"
+.TH "DNSSEC\-VERIFY" "8" "January 15, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-verify.c,v 1.6 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dnssec-verify.c,v 1.7 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -71,6 +71,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-verify";
@@ -167,8 +171,8 @@
 #endif
 	char *classname = NULL;
 	dns_rdataclass_t rdclass;
+	char *endp;
 	int ch;
-	char *endp;
 
 #define CMDLINE_FLAGS \
 	"m:o:I:c:E:v:xz"
@@ -201,6 +205,9 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
--- a/external/bsd/bind/dist/bin/named/bind9.xsl.h	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/bind9.xsl.h	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: bind9.xsl.h,v 1.5 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: bind9.xsl.h,v 1.6 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
@@ -278,6 +278,13 @@
 	" <div class=\"header\">\n"
 	" <h1>ISC Bind 9 Configuration and Statistics</h1>\n"
 	" </div>\n"
+	" <p>Alternate statistics views: <a href=\"/\">All</a>,\n"
+	" <a href=\"/xml/v3/status\">Status</a>,\n"
+	" <a href=\"/xml/v3/server\">Server</a>,\n"
+	" <a href=\"/xml/v3/zones\">Zones</a>,\n"
+	" <a href=\"/xml/v3/net\">Network</a>,\n"
+	" <a href=\"/xml/v3/tasks\">Tasks</a> and\n"
+	" <a href=\"/xml/v3/mem\">Memory</a></p>\n"
 	" <hr/>\n"
 	" <h2>Server Status</h2>\n"
 	" <table class=\"info\">\n"
--- a/external/bsd/bind/dist/bin/named/client.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.9 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: client.c,v 1.10 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -123,7 +123,7 @@
  */
 #endif
 
-#define SIT_SIZE 24 /* 8 + 4 + 4 + 8 */
+#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
 
 /*% nameserver client manager structure */
 struct ns_clientmgr {
@@ -1674,7 +1674,7 @@
 			memset(client->cookie, 0, 8);
 		isc_buffer_forward(buf, (unsigned int)optlen);
 
-		if (optlen == 8)
+		if (optlen == 8U)
 			isc_stats_increment(ns_g_server->nsstats,
 					    dns_nsstatscounter_sitnew);
 		else
--- a/external/bsd/bind/dist/bin/named/controlconf.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/controlconf.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: controlconf.c,v 1.8 2014/03/01 22:49:49 christos Exp $	*/
+/*	$NetBSD: controlconf.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2008, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -26,6 +26,7 @@
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/event.h>
+#include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/netaddr.h>
@@ -825,6 +826,13 @@
 	unsigned int algtype;
 	isc_buffer_t b;
 
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_CONTROL, ISC_LOG_INFO,
+		      "configuring command channel from '%s'",
+		      ns_g_keyfile);
+	if (! isc_file_exists(ns_g_keyfile))
+		return (ISC_R_FILENOTFOUND);
+
 	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
 	CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config));
 	CHECK(cfg_map_get(config, "key", &key));
--- a/external/bsd/bind/dist/bin/named/include/named/server.h	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/server.h	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: server.h,v 1.7 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: server.h,v 1.8 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -118,7 +118,7 @@
 	unsigned int		session_keyalg;
 	isc_uint16_t		session_keybits;
 	isc_boolean_t		interface_auto;
-	unsigned char		secret[33];	/*%< Source Identity Token */
+	unsigned char		secret[32];	/*%< Source Identity Token */
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
--- a/external/bsd/bind/dist/bin/named/interfacemgr.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/interfacemgr.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: interfacemgr.c,v 1.7 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: interfacemgr.c,v 1.8 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -106,6 +106,7 @@
 	isc_region_t r;
 	isc_result_t result;
 	struct MSGHDR *rtm;
+	isc_boolean_t done = ISC_TRUE;
 
 	UNUSED(task);
 
@@ -132,8 +133,6 @@
 			      "rtm->rtm_version mismatch (%u != %u) "
 			      "recompile required", rtm->rtm_version,
 			      RTM_VERSION);
-		isc_task_detach(&mgr->task);
-		isc_socket_detach(&mgr->route);
 		ns_interfacemgr_detach(&mgr);
 		isc_event_free(&event);
 		return;
@@ -150,16 +149,24 @@
 		break;
 	}
 
-	/*
-	 * Look for next route event.
-	 */
-	r.base = mgr->buf;
-	r.length = sizeof(mgr->buf);
-	result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
-				 route_event, mgr);
-	if (result != ISC_R_SUCCESS)
+	LOCK(&mgr->lock);
+	if (mgr->route != NULL) {
+		/*
+		 * Look for next route event.
+		 */
+		r.base = mgr->buf;
+		r.length = sizeof(mgr->buf);
+		result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
+					 route_event, mgr);
+		if (result == ISC_R_SUCCESS)
+			done = ISC_FALSE;
+	}
+	UNLOCK(&mgr->lock);
+
+	if (done)
 		ns_interfacemgr_detach(&mgr);
 	isc_event_free(&event);
+	return;
 }
 #endif
 
@@ -245,8 +252,11 @@
 
 		result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
 					 route_event, mgr);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
+			isc_task_detach(&mgr->task);
+			isc_socket_detach(&mgr->route);
 			ns_interfacemgr_detach(&mgr);
+		}
 	}
 #endif
 	return (ISC_R_SUCCESS);
@@ -328,8 +338,13 @@
 	 */
 	mgr->generation++;
 #ifdef USE_ROUTE_SOCKET
-	if (mgr->route != NULL)
+	LOCK(&mgr->lock);
+	if (mgr->route != NULL) {
 		isc_socket_cancel(mgr->route, mgr->task, ISC_SOCKCANCEL_RECV);
+		isc_socket_detach(&mgr->route);
+		isc_task_detach(&mgr->task);
+	}
+	UNLOCK(&mgr->lock);
 #endif
 	purge_old_interfaces(mgr);
 }
--- a/external/bsd/bind/dist/bin/named/lwresd.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/lwresd.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: lwresd.8,v 1.3 2012/06/05 00:39:01 christos Exp $
+.\"	$NetBSD: lwresd.8,v 1.4 2014/07/08 05:43:37 spz Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -22,11 +22,11 @@
 .\"     Title: lwresd
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
+.\"      Date: January 20, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
+.TH "LWRESD" "8" "January 20, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -219,7 +219,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/main.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.13 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.14 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: main.c,v 1.187 2012/02/06 23:46:44 tbox Exp  */
-
 /*! \file */
 
 #include <config.h>
@@ -52,9 +50,13 @@
 #include <dns/view.h>
 
 #include <dst/result.h>
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
 
 #include <dlz/dlz_dlopen_driver.h>
 
+
 /*
  * Defining NS_MAIN provides storage declarations (rather than extern)
  * for variables in named/globals.h.
@@ -414,16 +416,16 @@
 parse_command_line(int argc, char *argv[]) {
 	int ch;
 	int port;
+	const char *p;
 	isc_boolean_t disable6 = ISC_FALSE;
 	isc_boolean_t disable4 = ISC_FALSE;
 
 	save_command_line(argc, argv);
 
 	/* PLEASE keep options synchronized when main is hooked! */
+#define CMDLINE_FLAGS "46c:C:d:D:E:fFgi:lm:n:N:p:P:sS:t:T:U:u:vVx:"
 	isc_commandline_errprint = ISC_FALSE;
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:D:E:fFgi:lm:n:N:p:P:"
-					   "sS:t:T:U:u:vVx:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case '4':
 			if (disable4)
@@ -612,8 +614,14 @@
 			usage();
 			if (isc_commandline_option == '?')
 				exit(0);
-			ns_main_earlyfatal("unknown option '-%c'",
-					   isc_commandline_option);
+			p = strchr(CMDLINE_FLAGS, isc_commandline_option);
+			if (p == NULL || *++p != ':')
+				ns_main_earlyfatal("unknown option '-%c'",
+						   isc_commandline_option);
+			else
+				ns_main_earlyfatal("option '-%c' requires "
+						   "an argument",
+						   isc_commandline_option);
 			/* FALLTHROUGH */
 		default:
 			ns_main_earlyfatal("parsing options returned %d", ch);
@@ -1133,6 +1141,9 @@
 	dns_result_register();
 	dst_result_register();
 	isccc_result_register();
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 
 	parse_command_line(argc, argv);
 
--- a/external/bsd/bind/dist/bin/named/named.8	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/named.8	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: named.8,v 1.5 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: named.8,v 1.6 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
@@ -22,11 +22,11 @@
 .\"     Title: named
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: May 21, 2009
+.\"      Date: February 19, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NAMED" "8" "May 21, 2009" "BIND9" "BIND9"
+.TH "NAMED" "8" "February 19, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/named/named.conf.5	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.5	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: named.conf.5,v 1.11 2014/03/01 03:24:32 christos Exp $
+.\"	$NetBSD: named.conf.5,v 1.12 2014/07/08 05:43:37 spz Exp $
 .\"
 .\" Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -21,11 +21,11 @@
 .\"     Title: \fInamed.conf\fR
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 13, 2004
+.\"      Date: January 08, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
+.TH "\fINAMED.CONF\fR" "5" "January 08, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/external/bsd/bind/dist/bin/named/named.conf.docbook	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.docbook	Tue Jul 08 05:43:37 2014 +0000
@@ -17,10 +17,9 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- Id: named.conf.docbook,v 1.55 2011/11/07 00:25:53 each Exp  -->
 <refentry>
   <refentryinfo>
-    <date>Aug 13, 2004</date>
+    <date>January 08, 2014</date>
   </refentryinfo>
 
   <refmeta>
--- a/external/bsd/bind/dist/bin/named/named.conf.html	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.html	Tue Jul 08 05:43:37 2014 +0000
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543364"></a><h2>DESCRIPTION</h2>
+<a name="id2543362"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">named.conf</code> is the configuration file
       for
       <span><strong class="command">named</strong></span>.  Statements are enclosed
@@ -50,14 +50,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543392"></a><h2>ACL</h2>
+<a name="id2543389"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543408"></a><h2>KEY</h2>
+<a name="id2543405"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543427"></a><h2>MASTERS</h2>
+<a name="id2543425"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,7 +75,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543473"></a><h2>SERVER</h2>
+<a name="id2543470"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@@ -97,7 +97,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543541"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543539"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -105,7 +105,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543566"></a><h2>MANAGED-KEYS</h2>
+<a name="id2543564"></a><h2>MANAGED-KEYS</h2>
 <div class="literallayout"><p><br>
 managed-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -113,7 +113,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543595"></a><h2>CONTROLS</h2>
+<a name="id2543593"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -125,7 +125,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543630"></a><h2>LOGGING</h2>
+<a name="id2543628"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -143,7 +143,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543669"></a><h2>LWRES</h2>
+<a name="id2543667"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -156,7 +156,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543710"></a><h2>OPTIONS</h2>
+<a name="id2543708"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -362,7 +362,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544596"></a><h2>VIEW</h2>
+<a name="id2544594"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -527,7 +527,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545318"></a><h2>ZONE</h2>
+<a name="id2545316"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint | redirect |<br>
@@ -624,12 +624,12 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545707"></a><h2>FILES</h2>
+<a name="id2545705"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545719"></a><h2>SEE ALSO</h2>
+<a name="id2545717"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
--- a/external/bsd/bind/dist/bin/named/query.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.15 2014/03/01 22:50:34 christos Exp $	*/
+/*	$NetBSD: query.c,v 1.16 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -2303,7 +2303,7 @@
 		     dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
 
 			dns_rdataset_current(rdataset, &rdata);
-			isc__buffer_availableregion(buffer, &r);
+			isc_buffer_availableregion(buffer, &r);
 			INSIST(r.length >= 16);
 			result = dns_dns64_aaaafroma(dns64, &netaddr,
 						     client->signer,
@@ -6077,7 +6077,7 @@
 	dns_fixedname_t fixed;
 	dns_fixedname_t wildcardname;
 	dns_dbversion_t *version, *zversion;
-	dns_zone_t *zone, *raw = NULL, *mayberaw;
+	dns_zone_t *zone;
 	dns_rdata_cname_t cname;
 	dns_rdata_dname_t dname;
 	unsigned int options;
@@ -6608,7 +6608,7 @@
 					 * and set the TTL then.
 					 */
 					if (dns_rdataset_isassociated(rdataset))
-						dns_rdataset_disassociate(rdataset);
+					    dns_rdataset_disassociate(rdataset);
 				} else {
 					/*
 					 * We will add this rdataset.
@@ -7644,8 +7644,11 @@
 				if (rpz_st != NULL)
 					rdataset->ttl = ISC_MIN(rdataset->ttl,
 							    rpz_st->m.ttl);
-				if (!is_zone && RECURSIONOK(client))
-					query_prefetch(client, fname, rdataset);
+				if (!is_zone && RECURSIONOK(client)) {
+					dns_name_t *name;
+					name = (fname != NULL) ? fname : tname;
+					query_prefetch(client, name, rdataset);
+				}
 				query_addrrset(client,
 					       fname != NULL ? &fname : &tname,
 					       &rdataset, NULL,
@@ -7871,25 +7874,33 @@
 		/*
 		 * Return the time to expire for slave zones.
 		 */
-		if (is_zone)
-			dns_zone_getraw(zone, &raw);
-		mayberaw = (raw != NULL) ? raw : zone;
-
-		if (is_zone && qtype == dns_rdatatype_soa &&
-		    (client->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0 &&
-		    client->query.restarts == 0 &&
-		    dns_zone_gettype(mayberaw) == dns_zone_slave) {
-			isc_time_t expiretime;
-			isc_uint32_t secs;
-			dns_zone_getexpiretime(zone, &expiretime);
-			secs = isc_time_seconds(&expiretime);
-			if (secs >= client->now && result == ISC_R_SUCCESS) {
-				client->attributes |= NS_CLIENTATTR_HAVEEXPIRE;
-				client->expire = secs - client->now;
+		if (zone != NULL) {
+			dns_zone_t *raw = NULL, *mayberaw;
+
+			if (is_zone)
+				dns_zone_getraw(zone, &raw);
+			mayberaw = (raw != NULL) ? raw : zone;
+
+			if (is_zone && qtype == dns_rdatatype_soa &&
+			    ((client->attributes &
+			      NS_CLIENTATTR_WANTEXPIRE) != 0) &&
+			    client->query.restarts == 0 &&
+			    dns_zone_gettype(mayberaw) == dns_zone_slave)
+			{
+				isc_time_t expiretime;
+				isc_uint32_t secs;
+				dns_zone_getexpiretime(zone, &expiretime);
+				secs = isc_time_seconds(&expiretime);
+				if (secs >= client->now &&
+				    result == ISC_R_SUCCESS) {
+					client->attributes |=
+						NS_CLIENTATTR_HAVEEXPIRE;
+					client->expire = secs - client->now;
+				}
 			}
-		}
-		if (raw != NULL)
-			dns_zone_detach(&raw);
+			if (raw != NULL)
+				dns_zone_detach(&raw);
+		}
 
 		if (dns64) {
 			qtype = type = dns_rdatatype_aaaa;
--- a/external/bsd/bind/dist/bin/named/server.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/server.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: server.c,v 1.16 2014/03/01 22:51:24 christos Exp $	*/
+/*	$NetBSD: server.c,v 1.17 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -164,7 +164,7 @@
 				      isc_result_totext(result)); \
 			goto cleanup;				  \
 		}						  \
-	} while (/*CONSTCOND*/0)
+	} while (/*CONSTCOND*/0)				  \
 
 #define CHECKMF(op, msg, file) \
 	do { result = (op);					  \
@@ -177,13 +177,13 @@
 				      isc_result_totext(result)); \
 			goto cleanup;				  \
 		}						  \
-	} while (/*CONSTCOND*/0)
+	} while (/*CONSTCOND*/0)				  \
 
 #define CHECKFATAL(op, msg) \
 	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS)			  \
 			fatal(msg, result);			  \
-	} while (/*CONSTCOND*/0)
+	} while (/*CONSTCOND*/0)				  \
 
 /*%
  * Maximum ADB size for views that share a cache.  Use this limit to suppress
@@ -380,12 +380,12 @@
 
 static isc_result_t
 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			cfg_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target);
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			isc_uint16_t family, ns_listenelt_t **target);
 static isc_result_t
 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target);
+			 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			 isc_uint16_t family, ns_listenlist_t **target);
 
 static isc_result_t
 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
@@ -831,7 +831,7 @@
 		const cfg_obj_t *builtin_managed_keys = NULL;
 
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "using built-in DLV key for view %s",
 			      view->name);
 
@@ -864,7 +864,7 @@
 		const cfg_obj_t *builtin_managed_keys = NULL;
 
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "using built-in root key for view %s",
 			      view->name);
 
@@ -1115,7 +1115,11 @@
 	INSIST(cfg_obj_isstring(obj));
 	str = cfg_obj_asstring(obj);
 	if (!strcasecmp(str, "fixed"))
+#if DNS_RDATASET_FIXED
 		mode = DNS_RDATASETATTR_FIXEDORDER;
+#else
+		mode = 0;
+#endif /* DNS_RDATASET_FIXED */
 	else if (!strcasecmp(str, "random"))
 		mode = DNS_RDATASETATTR_RANDOMIZE;
 	else if (!strcasecmp(str, "cyclic"))
@@ -1895,7 +1899,7 @@
 			result = ISC_R_RANGE;				\
 			goto cleanup;					\
 		    }							\
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 #define CHECK_RRL_RATE(rate, def, max_rate, name)			\
 	do {								\
@@ -1911,7 +1915,7 @@
 			rrl->rate.r = def;				\
 		}							\
 		rrl->rate.scaled = rrl->rate.r;				\
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 static isc_result_t
 configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
@@ -3923,17 +3927,18 @@
 	/*
 	 * DSCP value for forwarded requests.
 	 */
-	dscpobj = cfg_tuple_get(forwarders, "dscp");
-	if (!cfg_obj_isuint32(dscpobj))
-		dscp = ns_g_dscp;
-	else {
-		if (cfg_obj_asuint32(dscpobj) > 63) {
-			cfg_obj_log(dscpobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "dscp value '%u' is out of range",
-				    cfg_obj_asuint32(dscpobj));
-			return (ISC_R_RANGE);
-		}
-		dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+	dscp = ns_g_dscp;
+	if (forwarders != NULL) {
+		dscpobj = cfg_tuple_get(forwarders, "dscp");
+		if (cfg_obj_isuint32(dscpobj)) {
+			if (cfg_obj_asuint32(dscpobj) > 63) {
+				cfg_obj_log(dscpobj, ns_g_lctx, ISC_LOG_ERROR,
+					    "dscp value '%u' is out of range",
+					    cfg_obj_asuint32(dscpobj));
+				return (ISC_R_RANGE);
+			}
+			dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+		}
 	}
 
 	faddresses = NULL;
@@ -5678,7 +5683,8 @@
 			/* check return code? */
 			(void)ns_listenlist_fromconfig(clistenon, config,
 						       ns_g_aclconfctx,
-						       ns_g_mctx, &listenon);
+						       ns_g_mctx, AF_INET,
+						       &listenon);
 		} else if (!ns_g_lwresdonly) {
 			/*
 			 * Not specified, use default.
@@ -5705,7 +5711,8 @@
 			/* check return code? */
 			(void)ns_listenlist_fromconfig(clistenon, config,
 						       ns_g_aclconfctx,
-						       ns_g_mctx, &listenon);
+						       ns_g_mctx, AF_INET6,
+						       &listenon);
 		} else if (!ns_g_lwresdonly) {
 			/*
 			 * Not specified, use default.
@@ -7347,8 +7354,8 @@
 
 static isc_result_t
 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target)
+			 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			 isc_uint16_t family, ns_listenlist_t **target)
 {
 	isc_result_t result;
 	const cfg_listelt_t *element;
@@ -7367,7 +7374,7 @@
 		ns_listenelt_t *delt = NULL;
 		const cfg_obj_t *listener = cfg_listelt_value(element);
 		result = ns_listenelt_fromconfig(listener, config, actx,
-						 mctx, &delt);
+						 mctx, family, &delt);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		ISC_LIST_APPEND(dlist->elts, delt, link);
@@ -7386,8 +7393,8 @@
  */
 static isc_result_t
 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			cfg_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target)
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			isc_uint16_t family, ns_listenelt_t **target)
 {
 	isc_result_t result;
 	const cfg_obj_t *portobj, *dscpobj;
@@ -7432,9 +7439,9 @@
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
-				   config, ns_g_lctx, actx, mctx, 0,
-				   &delt->acl);
+	result = cfg_acl_fromconfig2(cfg_tuple_get(listener, "acl"),
+				     config, ns_g_lctx, actx, mctx, 0,
+				     family, &delt->acl);
 	if (result != ISC_R_SUCCESS) {
 		ns_listenelt_destroy(delt);
 		return (result);
@@ -9267,6 +9274,42 @@
 	*cfgp = NULL;
 }
 
+static isc_result_t
+generate_salt(unsigned char *salt, size_t saltlen) {
+	int i, n;
+	union {
+		unsigned char rnd[256];
+		isc_uint32_t rnd32[64];
+	} rnd;
+	unsigned char text[512 + 1];
+	isc_region_t r;
+	isc_buffer_t buf;
+	isc_result_t result;
+
+	if (saltlen > 256U)
+		return (ISC_R_RANGE);
+
+	n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
+	for (i = 0; i < n; i++)
+		isc_random_get(&rnd.rnd32[i]);
+
+	memcpy(salt, rnd.rnd, saltlen);
+
+	r.base = rnd.rnd;
+	r.length = (unsigned int) saltlen;
+
+	isc_buffer_init(&buf, text, sizeof(text));
+	result = isc_hex_totext(&r, 2, "", &buf);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	text[saltlen * 2] = 0;
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "generated salt: %s", text);
+
+	return (ISC_R_SUCCESS);
+}
+
 isc_result_t
 ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -9336,9 +9379,18 @@
 				return (ISC_R_RANGE);
 
 			ptr = next_token(&args, " \t");
-			if (ptr == NULL)
+			if (ptr == NULL) {
 				return (ISC_R_UNEXPECTEDEND);
-			if (strcmp(ptr, "-") != 0) {
+			} else if (strcasecmp(ptr, "auto") == 0) {
+				/* Auto-generate a random salt.
+				 * XXXMUKS: This currently uses the
+				 * minimum recommended length by RFC
+				 * 5155 (64 bits). It should be made
+				 * configurable.
+				 */
+				saltlen = 8;
+				CHECK(generate_salt(salt, saltlen));
+			} else if (strcmp(ptr, "-") != 0) {
 				isc_buffer_t buf;
 
 				isc_buffer_init(&buf, salt, sizeof(salt));
@@ -9586,7 +9638,8 @@
 					     typebuf, sizeof(typebuf));
 			snprintf(resignbuf, sizeof(resignbuf),
 				     "%s/%s", namebuf, typebuf);
-			isc_time_set(&resigntime, next.resign, 0);
+			isc_time_set(&resigntime, next.resign -
+				dns_zone_getsigresigninginterval(zone), 0);
 			isc_time_formathttptimestamp(&resigntime, rtbuf,
 						     sizeof(rtbuf));
 			dns_rdataset_disassociate(&next);
--- a/external/bsd/bind/dist/bin/named/statschannel.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/statschannel.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: statschannel.c,v 1.8 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: statschannel.c,v 1.9 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2008-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -108,7 +108,7 @@
 #define dnssecstats_xmldesc NULL
 #endif	/* HAVE_LIBXML2 */
 
-#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(/*CONSTCOND*/0)
 
 /*%
  * Mapping arrays to represent statistics counters in the order of our
@@ -321,6 +321,7 @@
 	SET_RESSTATDESC(sitin, "SIT replies received", "SitIn");
 	SET_RESSTATDESC(sitok, "SIT client cookie ok", "SitClientOk");
 #endif
+	SET_RESSTATDESC(badvers, "bad EDNS version", "BadEDNSVersion");
 
 	INSIST(i == dns_resstatscounter_max);
 
@@ -337,7 +338,7 @@
 		set_desc(dns_adbstats_ ## id, dns_adbstats_max, \
 			 desc, adbstats_desc, xmldesc, adbstats_xmldesc); \
 		adbstats_index[i++] = dns_adbstats_ ## id; \
-	} while (0)
+	} while (/*CONSTCOND*/0)
 	i = 0;
 	SET_ADBSTATDESC(nentries, "Address hash table size", "nentries");
 	SET_ADBSTATDESC(entriescnt, "Addresses in hash table", "entriescnt");
@@ -1421,7 +1422,7 @@
 		result = ISC_R_NOMEMORY;\
 		goto error;\
 	} \
-} while(0)
+} while(/*CONSTCOND*/0)
 
 static void
 wrap_jsonfree(isc_buffer_t *buffer, void *arg) {
--- a/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dlz_dlopen_driver.c,v 1.4 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: dlz_dlopen_driver.c,v 1.5 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2014  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -83,7 +83,7 @@
 		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
 		    cd->in_configure == ISC_FALSE) \
 			UNLOCK(&cd->lock); \
-	} while (/*CONSTCOND*/0)
+	} while (0)
 
 /*
  * Log a message at the given level.
@@ -337,6 +337,7 @@
 			   "dlz_dlopen: %s: incorrect driver API version %d, "
 			   "requires %d",
 			   cd->dl_path, cd->version, DLZ_DLOPEN_VERSION);
+		result = ISC_R_FAILURE;
 		goto failed;
 	}
 
--- a/external/bsd/bind/dist/bin/named/unix/os.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/unix/os.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: os.c,v 1.6 2014/03/01 03:24:32 christos Exp $	*/
+/*	$NetBSD: os.c,v 1.7 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -609,7 +609,7 @@
 }
 
 void
-ns_os_adjustnofile() {
+ns_os_adjustnofile(void) {
 #ifdef HAVE_LINUXTHREADS
 	isc_result_t result;
 	isc_resourcevalue_t newvalue;
--- a/external/bsd/bind/dist/bin/named/win32/dlz_dlopen_driver.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/win32/dlz_dlopen_driver.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dlz_dlopen_driver.c,v 1.1.1.4 2014/07/08 04:45:37 spz Exp $	*/
+/*	$NetBSD: dlz_dlopen_driver.c,v 1.2 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
  * Copyright (C) 2011-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -77,14 +77,14 @@
 		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
 		    cd->in_configure == ISC_FALSE) \
 			LOCK(&cd->lock); \
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 #define MAYBE_UNLOCK(cd) \
 	do { \
 		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
 		    cd->in_configure == ISC_FALSE) \
 			UNLOCK(&cd->lock); \
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 /*
  * Log a message at the given level.
--- a/external/bsd/bind/dist/bin/named/win32/ntservice.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/win32/ntservice.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: ntservice.c,v 1.4 2013/12/31 20:24:39 christos Exp $	*/
+/*	$NetBSD: ntservice.c,v 1.5 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2004, 2006, 2007, 2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007, 2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -46,7 +46,7 @@
  * Initialize the Service by registering it.
  */
 void
-ntservice_init() {
+ntservice_init(void) {
 	if (!foreground) {
 		/* Register handler with the SCM */
 		hServiceStatus = RegisterServiceCtrlHandler(BIND_SERVICE_NAME,
@@ -66,14 +66,14 @@
 }
 
 void
-ntservice_shutdown() {
+ntservice_shutdown(void) {
 	UpdateSCM(SERVICE_STOPPED);
 }
 /*
  * Routine to check if this is a service or a foreground program
  */
 BOOL
-ntservice_isservice() {
+ntservice_isservice(void) {
 	return(!foreground);
 }
 /*
--- a/external/bsd/bind/dist/bin/named/win32/os.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/named/win32/os.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: os.c,v 1.5 2014/03/01 03:24:33 christos Exp $	*/
+/*	$NetBSD: os.c,v 1.6 2014/07/08 05:43:37 spz Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -58,7 +58,7 @@
 	"named requires Windows 2000 Service Pack 2 or later to run correctly";
 
 void
-ns_paths_init() {
+ns_paths_init(void) {
 	if (!Initialized)
 		isc_ntpaths_init();
 
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.1	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.1	Tue Jul 08 05:43:37 2014 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: nsupdate.1,v 1.4 2014/03/01 03:24:33 christos Exp $
+.\"	$NetBSD: nsupdate.1,v 1.5 2014/07/08 05:43:38 spz Exp $
 .\"
-.\" Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -22,11 +22,11 @@
 .\"     Title: nsupdate
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 25, 2009
+.\"      Date: April 18, 2014
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NSUPDATE" "1" "Aug 25, 2009" "BIND9" "BIND9"
+.TH "NSUPDATE" "1" "April 18, 2014" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -35,7 +35,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [\fB\-V\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -99,7 +99,18 @@
 \fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
-is the base64 encoded shared secret. Use of the
+is the base64 encoded shared secret.
+\fIhmac\fR
+is the name of the key algorithm; valid choices are
+hmac\-md5,
+hmac\-sha1,
+hmac\-sha224,
+hmac\-sha256,
+hmac\-sha384, or
+hmac\-sha512. If
+\fIhmac\fR
+is not specified, the default is
+hmac\-md5. NOTE: Use of the
 \fB\-y\fR
 option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
 \fBps\fR(1)
@@ -185,6 +196,10 @@
 \fBnamed\fR. These options may be combined.
 \fBnsupdate\fR
 will exit after the lists are printed.
+.PP
+The \-V option causes
+\fBnsupdate\fR
+to print the version number and exit.
 .SH "INPUT FORMAT"
 .PP
 \fBnsupdate\fR
@@ -245,12 +260,15 @@
 will clear the default ttl.
 .RE
 .PP
-\fBkey\fR {name} {secret}
+\fBkey\fR [hmac:] {keyname} {secret}
 .RS 4
 Specifies that all updates are to be TSIG\-signed using the
 \fIkeyname\fR
-\fIkeysecret\fR
-pair. The
+\fIsecret\fR
+pair. If
+\fIhmac\fR
+is specified, then it sets the signing algorithm in use; the default is
+hmac\-md5. The
 \fBkey\fR
 command overrides any key specified on the command line via
 \fB\-y\fR
@@ -375,6 +393,16 @@
 Turn on debugging.
 .RE
 .PP
+\fBversion\fR
+.RS 4
+Print version number.
+.RE
+.PP
+\fBhelp\fR
+.RS 4
+Print a list of commands.
+.RE
+.PP
 Lines beginning with a semicolon are comments and are ignored.
 .SH "EXAMPLES"
 .PP
@@ -452,7 +480,7 @@
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Tue Jul 08 04:44:50 2014 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Tue Jul 08 05:43:37 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nsupdate.c,v 1.10 2014/03/01 22:41:50 christos Exp $	*/
+/*	$NetBSD: nsupdate.c,v 1.11 2014/07/08 05:43:38 spz Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -964,7 +964,7 @@
 		      host, isc_result_totext(result));
 }
 
-#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:Pr:R::t:Tu:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:Pr:R::t:Tu:V"
 
 static void
 pre_parse_args(int argc, char **argv) {
@@ -1026,6 +1026,11 @@
 }
 
 static void
+version(void) {
+	fputs("nsupdate " VERSION "\n", stderr);
+}
+
+static void
 parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 	int ch;
 	isc_uint32_t i;
@@ -1062,6 +1067,10 @@
 		case 'v':
 			usevc = ISC_TRUE;
 			break;
+		case 'V':
+			version();
+			exit(0);
+			break;
 		case 'k':
 			keyfile = isc_commandline_argument;
 			break;
@@ -2024,6 +2033,7 @@
 	}
 	if (strcasecmp(word, "help") == 0) {
 		fprintf(stdout,
+"nsupdate " VERSION ":\n"
 "local address [port]      (set local resolver)\n"
 "server address [port]     (set master server for zone)\n"
 "send                      (send the update request)\n"
@@ -2044,6 +2054,10 @@
 "[update] del[ete] ....    (remove the given record(s) from the zone)\n");
 		return (STATUS_MORE);
 	}
+	if (strcasecmp(word, "version") == 0) {
+		fprintf(stdout, "nsupdate " VERSION "\n");
+		return (STATUS_MORE);
+	}
 	fprintf(stderr, "incorrect section name: %s\n", word);
 	return (STATUS_SYNTAX);
 }
@@ -2123,12 +2137,12 @@
 	if (tsig.error != 0) {
 		if (isc_buffer_remaininglength(b) < 1)
 		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b, "(" /*)*/);
+		isc_buffer_putstr(b, "(" /*)*/);
 		result = dns_tsigrcode_totext(tsig.error, b);
 		check_result(result, "dns_tsigrcode_totext");
 		if (isc_buffer_remaininglength(b) < 1)
 		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b,  /*(*/ ")");
+		isc_buffer_putstr(b,  /*(*/ ")");
 	}
 }
 
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1f-patch	Tue Jul 08 04:44:50 2014 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15784 +0,0 @@
-Index: openssl/Configure
-diff -u openssl/Configure:1.9.2.1.2.1.2.1.2.1.2.1 openssl/Configure:1.14
---- openssl/Configure:1.9.2.1.2.1.2.1.2.1.2.1	Tue Jan  7 09:44:50 2014
-+++ openssl/Configure	Tue Jan  7 09:46:34 2014
-@@ -10,7 +10,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -23,6 +23,12 @@
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
- #
-+# --pk11-libname  PKCS#11 library name.
-+#               (No default)
-+#
-+# --pk11-flavor either crypto-accelerator or sign-only
-+#               (No default)
-+#
- # --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
- #		to live in the subdirectory lib/ and the header files in
- #		include/.  A value is required.
-@@ -352,7 +358,7 @@
- "linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -360,7 +366,7 @@
- "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
-@@ -657,6 +663,10 @@
- my $idx_arflags = $idx++;
- my $idx_multilib = $idx++;
- 
-+# PKCS#11 engine patch
-+my $pk11_libname="";
-+my $pk11_flavor="";
-+
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-@@ -876,6 +886,14 @@
- 				$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
- 				$flags.=$_." ";
- 				}
-+			elsif (/^--pk11-libname=(.*)$/)
-+				{
-+				$pk11_libname=$1;
-+				}
-+			elsif (/^--pk11-flavor=(.*)$/)
-+				{
-+				$pk11_flavor=$1;
-+				}
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -1043,6 +1061,22 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
-+if (! $pk11_flavor
-+    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
-+	{
-+	print STDERR "You must set --pk11-flavor.\n";
-+	print STDERR "Choices are crypto-accelerator and sign-only.\n";
-+	print STDERR "See README.pkcs11 for more information.\n";
-+	exit 1;
-+	}
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -1120,6 +1154,25 @@
- 	$exp_cflags .= " -DOPENSSL_EXPERIMENTAL_$ALGO";
- 	}
- 
-+if ($pk11_flavor eq "crypto-accelerator")
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$options .= " no-hw-pkcs11so";
-+	print "    no-hw-pkcs11so  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11SO\n";
-+	}
-+else
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$options .= " no-hw-pkcs11ca";
-+	print "    no-hw-pkcs11ca  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11CA\n";
-+}
-+
- my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
- 
- $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target =~ /^mingw/);
-@@ -1209,6 +1262,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1598,6 +1653,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1.2.1 openssl/Makefile.org:1.9
---- openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1.2.1	Tue Jan  7 09:44:51 2014
-+++ openssl/Makefile.org	Tue Jan  7 09:46:34 2014
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.8
---- /dev/null	Tue Jan  7 11:14:50 2014
-+++ openssl/README.pkcs11	Fri Oct  4 14:16:43 2013
-@@ -0,0 +1,266 @@
-+ISC modified
-+============
-+
-+The previous key naming scheme was kept for backward compatibility.
-+
-+The PKCS#11 engine exists in two flavors, crypto-accelerator and
-+sign-only. The first one is from the Solaris patch and uses the
-+PKCS#11 device for all crypto operations it supports. The second
-+is a stripped down version which provides only the useful
-+function (i.e., signature with a RSA private key in the device
-+protected key store and key loading).
-+
-+As a hint PKCS#11 boards should use the crypto-accelerator flavor,
-+external PKCS#11 devices the sign-only. SCA 6000 is an example
-+of the first, AEP Keyper of the second.
-+
-+Note it is mandatory to set a pk11-flavor (and only one) in
-+config/Configure.
-+
-+It is highly recommended to compile in (vs. as a DSO) the engine.
-+The way to configure this is system dependent, on Unixes it is no-shared
-+(and is in general the default), on WIN32 it is enable-static-engine
-+(and still enable to build the OpenSSL libraries as DLLs).
-+
-+PKCS#11 engine support for OpenSSL 0.9.8l
-+=========================================
-+
-+[Nov 19, 2009]
-+
-+Contents:
-+
-+Overview
-+Revisions of the patch for 0.9.8 branch
-+FAQs
-+Feedback
-+
-+Overview
-+========
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
-+must provide PKCS#11 backend otherwise the patch is useless. You provide the
-+PKCS#11 library name during the build configuration phase, see below.
-+
-+Patch can be applied like this:
-+
-+	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8l.tar.gz
-+	# now download the patch to the current directory
-+	# ...
-+	cd openssl-0.9.8l
-+	# NOTE: must use gpatch if on Solaris (is part of the system)
-+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+According to the PKCS#11 providers installed on your machine, it can support
-+following mechanisms:
-+
-+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
-+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
-+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
-+	SHA256, SHA384, SHA512
-+
-+Note that for AES counter mode the application must provide their own EVP
-+functions since OpenSSL doesn't support counter mode through EVP yet. You may
-+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
-+example of code that uses the PKCS#11 engine and deals with the fork-safety
-+problem (see engine.c and packet.c files if interested).
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script. You will be instructed to do that when you try to run the
-+config script:
-+
-+	$ ./config 
-+	Operating system: i86pc-whatever-solaris2
-+	Configuring for solaris-x86-cc
-+	You must set --pk11-libname for PKCS#11 library.
-+	See README.pkcs11 for more information.
-+
-+Taking openCryptoki project on Linux AMD64 box as an example, you would run
-+configure script like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to run
-+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
-+output. If you see no PKCS#11 engine support check that the built openssl binary
-+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
-+
-+The patch, during various phases of development, was tested on Solaris against
-+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
-+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
-+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
-+information). Some Linux distributions even ship those libraries with the
-+system. The patch should work on any system that is supported by OpenSSL itself
-+and has functional PKCS#11 library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of the patch for 0.9.8 branch
-+=======================================
-+
-+2009-11-19
-+- adjusted for OpenSSL version 0.9.8l
-+
-+- bugs and RFEs:
-+
-+	6479874 OpenSSL should support RSA key by reference/hardware keystores
-+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
-+	6732677 make check to trigger Solaris specific code automatic in the
-+		PKCS#11 engine
-+
-+2009-03-11
-+- adjusted for OpenSSL version 0.9.8j 
-+
-+- README.pkcs11 moved out of the patch, and is shipped together with it in a
-+  tarball instead so that it can be read before the patch is applied.
-+
-+- fixed bugs:
-+
-+	6804216 pkcs#11 engine should support a key length range for RC4
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-12-02
-+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
-+
-+	6723504 more granular locking in PKCS#11 engine
-+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
-+	6710420 PKCS#11 engine source should be lint clean
-+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
-+		it seriously
-+	6746712 PKCS#11 engine source code should be cstyle clean
-+	6731380 return codes of several functions are not checked in the PKCS#11
-+		engine code
-+	6746735 PKCS#11 engine should use extended FILE space API
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-08-01
-+- fixed bug
-+
-+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
-+		and digests
-+
-+- Solaris specific code for slot selection made automatic
-+
-+2008-07-29
-+- update the patch to OpenSSL 0.9.8h version
-+- pkcs11t.h updated to the latest version:
-+
-+	6545665 make CKM_AES_CTR available to non-kernel users
-+
-+- fixed bugs in the engine code:
-+
-+	6602801 PK11_SESSION cache has to employ reference counting scheme for
-+		asymmetric key operations
-+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
-+		atomically
-+	6607307 pkcs#11 engine can't read RSA private keys
-+	6652362 pk11_RSA_finish() is cutting corners
-+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
-+		suboptimal way
-+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
-+		resilient to destroy failures
-+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
-+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
-+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
-+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
-+		of big numbers leading to failures
-+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
-+		-1
-+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
-+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
-+		checked
-+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
-+		structure reuse
-+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
-+		OPENSSL_NO_{RSA,DSA,DH}
-+	defines but fails miserably
-+	6709966 make check_new_*() to return values to indicate cache hit/miss
-+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
-+		generate_params parameter
-+	6709513 PKCS#11 engine sets IV length even for ECB modes
-+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
-+		PKCS#11 engine
-+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
-+
-+- new features and enhancements:
-+
-+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
-+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
-+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
-+		ciphers and digests
-+
-+2007-10-15
-+- update for 0.9.8f version
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+FAQs
-+====
-+
-+(1) my build failed on Linux distro with this error:
-+
-+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
-+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
-+
-+Answer:
-+
-+	- don't use "no-threads" when configuring
-+	- if you didn't then OpenSSL failed to create a threaded library by
-+	  default. You may manually edit Configure and try again. Look for the
-+	  architecture that Configure printed, for example:
-+
-+Configured for linux-elf.
-+
-+	- then edit Configure, find string "linux-elf" (inluding the quotes),
-+	  and add flags to support threads to the 4th column of the 2nd string.
-+	  If you build with GCC then adding "-pthread" should be enough. With
-+	  "linux-elf" as an example, you would add " -pthread" right after
-+	  "-D_REENTRANT", like this:
-+
-+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
-+
-+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
-+pthread_atfork() function when trying to build OpenSSL with the patch.
-+
-+Answer:
-+
-+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
-+	(as of Nov 2009). You can not use the patch there.
-+
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
-Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.6.2.1.4.1 openssl/crypto/opensslconf.h:1.7
---- openssl/crypto/opensslconf.h:1.6.2.1.4.1	Tue Jun 19 15:29:49 2012
-+++ openssl/crypto/opensslconf.h	Tue Jun 19 16:17:51 2012
-@@ -35,6 +35,9 @@
- 
- #endif /* OPENSSL_DOING_MAKEDEPEND */
- 
-+#ifndef OPENSSL_THREADS
-+# define OPENSSL_THREADS
-+#endif
- #ifndef OPENSSL_NO_DYNAMIC_ENGINE
- # define OPENSSL_NO_DYNAMIC_ENGINE
- #endif
-@@ -73,6 +76,8 @@
- # endif
- #endif
- 
-+#define OPENSSL_CPUID_OBJ
-+
- /* crypto/opensslconf.h.in */
- 
- /* Generate 80386 code? */
-@@ -119,7 +124,7 @@
-  * This enables code handling data aligned at natural CPU word
-  * boundary. See crypto/rc4/rc4_enc.c for further details.
-  */
--#undef RC4_CHUNK
-+#define RC4_CHUNK unsigned long
- #endif
- #endif
- 
-@@ -127,7 +132,7 @@
- /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
-  * %20 speed up (longs are 8 bytes, int's are 4). */
- #ifndef DES_LONG
--#define DES_LONG unsigned long
-+#define DES_LONG unsigned int
- #endif
- #endif
- 
-@@ -138,9 +143,9 @@
- /* Should we define BN_DIV2W here? */
- 
- /* Only one for the following should be defined */
--#undef SIXTY_FOUR_BIT_LONG
-+#define SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
--#define THIRTY_TWO_BIT
-+#undef THIRTY_TWO_BIT
- #endif
- 
- #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
-@@ -152,7 +157,7 @@
- 
- #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
- #define CONFIG_HEADER_BF_LOCL_H
--#undef BF_PTR
-+#define BF_PTR2
- #endif /* HEADER_BF_LOCL_H */
- 
- #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -182,7 +187,7 @@
- /* Unroll the inner loop, this sometimes helps, sometimes hinders.
-  * Very mucy CPU dependant */
- #ifndef DES_UNROLL
--#undef DES_UNROLL
-+#define DES_UNROLL
- #endif
- 
- /* These default values were supplied by
-Index: openssl/crypto/bio/bss_file.c
-diff -u openssl/crypto/bio/bss_file.c:1.6.2.1 openssl/crypto/bio/bss_file.c:1.6
---- openssl/crypto/bio/bss_file.c:1.6.2.1	Sun Jan 15 16:09:44 2012
-+++ openssl/crypto/bio/bss_file.c	Mon Jun 13 17:13:31 2011
-@@ -168,7 +168,7 @@
- 		{
- 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
- 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
--		if (errno == ENOENT)
-+		if ((errno == ENOENT) || ((*mode == 'r') && (errno == EACCES)))
- 			BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
- 		else
- 			BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
-Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.8.2.1.4.1 openssl/crypto/engine/Makefile:1.9
---- openssl/crypto/engine/Makefile:1.8.2.1.4.1	Tue Jun 19 15:30:00 2012
-+++ openssl/crypto/engine/Makefile	Tue Jun 19 16:18:00 2012
-@@ -22,13 +22,15 @@
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
- 	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
--	eng_rsax.c eng_rdrand.c
-+	eng_rsax.c eng_rdrand.c \
-+	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
- 	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
--	eng_rsax.o eng_rdrand.o
-+	eng_rsax.o eng_rdrand.o \
-+	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -294,6 +296,83 @@
- eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
- eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../e_os.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-+hw_pk11.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-+hw_pk11.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-+hw_pk11.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-+hw_pk11.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../cryptlib.h cryptoki.h hw_pk11.c
-+hw_pk11.o: hw_pk11_err.c hw_pk11_err.h hw_pk11ca.h pkcs11.h pkcs11f.h pkcs11t.h
-+hw_pk11_pub.o: ../../e_os.h ../../include/openssl/asn1.h
-+hw_pk11_pub.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-+hw_pk11_pub.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-+hw_pk11_pub.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-+hw_pk11_pub.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-+hw_pk11_pub.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h
-+hw_pk11_pub.o: ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-+hw_pk11_pub.o: ../cryptlib.h cryptoki.h hw_pk11_err.h hw_pk11_pub.c hw_pk11ca.h
-+hw_pk11_pub.o: pkcs11.h pkcs11f.h pkcs11t.h
-+hw_pk11so.o: ../../e_os.h ../../include/openssl/asn1.h
-+hw_pk11so.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-+hw_pk11so.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-+hw_pk11so.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-+hw_pk11so.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-+hw_pk11so.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-+hw_pk11so.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
-+hw_pk11so.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+hw_pk11so.o: ../../include/openssl/opensslconf.h
-+hw_pk11so.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-+hw_pk11so.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-+hw_pk11so.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-+hw_pk11so.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../cryptlib.h cryptoki.h
-+hw_pk11so.o: hw_pk11_err.c hw_pk11_err.h hw_pk11so.c hw_pk11so.h pkcs11.h
-+hw_pk11so.o: pkcs11f.h pkcs11t.h
-+hw_pk11so_pub.o: ../../e_os.h ../../include/openssl/asn1.h
-+hw_pk11so_pub.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-+hw_pk11so_pub.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-+hw_pk11so_pub.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-+hw_pk11so_pub.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-+hw_pk11so_pub.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-+hw_pk11so_pub.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+hw_pk11so_pub.o: ../../include/openssl/objects.h
-+hw_pk11so_pub.o: ../../include/openssl/opensslconf.h
-+hw_pk11so_pub.o: ../../include/openssl/opensslv.h
-+hw_pk11so_pub.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
-+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-+hw_pk11so_pub.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-+hw_pk11so_pub.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-+hw_pk11so_pub.o: ../cryptlib.h cryptoki.h hw_pk11_err.h hw_pk11so.h
-+hw_pk11so_pub.o: hw_pk11so_pub.c pkcs11.h pkcs11f.h pkcs11t.h
- tb_asnmth.o: ../../e_os.h ../../include/openssl/asn1.h
- tb_asnmth.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
- tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-Index: openssl/crypto/engine/cryptoki.h
-diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Tue Jan  7 11:14:51 2014
-+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include <unistd.h>	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include <stdlib.h>
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.5.2.1.4.1 openssl/crypto/engine/eng_all.c:1.6
---- openssl/crypto/engine/eng_all.c:1.5.2.1.4.1	Tue Jun 19 15:30:00 2012
-+++ openssl/crypto/engine/eng_all.c	Tue Jun 19 16:18:00 2012
-@@ -119,6 +119,14 @@
- #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
- 	ENGINE_load_capi();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+	ENGINE_load_pk11ca();
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+	ENGINE_load_pk11so();
-+#endif
-+#endif
- #endif
- 	ENGINE_register_all_complete();
- 	}
-Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.5.2.1.4.1 openssl/crypto/engine/engine.h:1.6
---- openssl/crypto/engine/engine.h:1.5.2.1.4.1	Tue Jun 19 15:30:00 2012
-+++ openssl/crypto/engine/engine.h	Tue Jun 19 16:18:00 2012
-@@ -343,6 +343,12 @@
- void ENGINE_load_ubsec(void);
- void ENGINE_load_padlock(void);
- void ENGINE_load_capi(void);
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+void ENGINE_load_pk11ca(void);
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+void ENGINE_load_pk11so(void);
-+#endif
- #ifndef OPENSSL_NO_GMP
- void ENGINE_load_gmp(void);
- #endif
-Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.33
---- /dev/null	Tue Jan  7 11:14:51 2014
-+++ openssl/crypto/engine/hw_pk11.c	Fri Oct  4 14:07:41 2013
-@@ -0,0 +1,4010 @@
-+/*
-+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+/* Debug mutexes */
-+/*#undef DEBUG_MUTEX */
-+#define DEBUG_MUTEX
-+
-+#ifndef NOPTHREADS
-+/* for pthread error check on Linuxes */
-+#ifdef DEBUG_MUTEX
-+#define __USE_UNIX98
-+#endif
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+#ifndef OPENSSL_NO_HW_PK11CA
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+/* #undef	DEBUG_SLOT_SELECTION */
-+/*
-+ * Solaris specific code. See comment at check_hw_mechanisms() for more
-+ * information.
-+ */
-+#if defined(__SVR4) && defined(__sun)
-+#undef	SOLARIS_HW_SLOT_SELECTION
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11ca.h"
-+#include "hw_pk11_err.c"
-+
-+/*
-+ * We use this lock to prevent multiple C_Login()s, guard getpassphrase(),
-+ * uri_struct manipulation, and static token info. All of that is used by the
-+ * RSA keys by reference feature.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *token_lock;
-+#endif
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
-+ * library. See comment at check_hw_mechanisms() for more information.
-+ */
-+static int *hw_cnids;
-+static int *hw_dnids;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * We cache the flags so that we do not have to run C_GetTokenInfo() again when
-+ * logging into the token.
-+ */
-+CK_FLAGS pubkey_token_flags;
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+#ifndef OPENSSL_NO_RSA
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
-+#endif
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh,
-+	CK_BBOOL persistent);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+#else
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, size_t inl);
-+#endif
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
-+    int *local_cipher_nids);
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
-+    int *local_digest_nids);
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
-+    int id);
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+static int check_hw_mechanisms(void);
-+static int nid_in_table(int nid, int *nid_table);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* Index for the supported ciphers */
-+enum pk11_cipher_id {
-+	PK11_DES_CBC,
-+	PK11_DES3_CBC,
-+	PK11_DES_ECB,
-+	PK11_DES3_ECB,
-+	PK11_RC4,
-+	PK11_AES_128_CBC,
-+	PK11_AES_192_CBC,
-+	PK11_AES_256_CBC,
-+	PK11_AES_128_ECB,
-+	PK11_AES_192_ECB,
-+	PK11_AES_256_ECB,
-+	PK11_AES_128_CTR,
-+	PK11_AES_192_CTR,
-+	PK11_AES_256_CTR,
-+	PK11_BLOWFISH_CBC,
-+	PK11_CIPHER_MAX
-+};
-+
-+/* Index for the supported digests */
-+enum pk11_digest_id {
-+	PK11_MD5,
-+	PK11_SHA1,
-+	PK11_SHA224,
-+	PK11_SHA256,
-+	PK11_SHA384,
-+	PK11_SHA512,
-+	PK11_DIGEST_MAX
-+};
-+
-+#define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type, priv)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		  retval = pk11_destroy_object(sp->session, obj_hdl,	\
-+		  priv ? sp->priv_persistent : sp->pub_persistent);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_recover = CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st
-+	{
-+	enum pk11_cipher_id	id;
-+	int			nid;
-+	int			iv_len;
-+	int			min_key_len;
-+	int			max_key_len;
-+	CK_KEY_TYPE		key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] =
-+	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
-+		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
-+		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
-+		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
-+		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16, 256,
-+		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_128_CTR,	NID_aes_128_ctr,	16,	16,  16,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_aes_192_ctr,	16,	24,  24,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_aes_256_ctr,	16,	32,  32,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
-+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	enum pk11_digest_id	id;
-+	int			nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] =
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
-+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
-+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
-+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/*
-+ * Structure to be used for the cipher_data/md_data in
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
-+ * session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/*
-+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
-+ * called when libcrypto requests a cipher NID.
-+ *
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc =
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc =
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
-+ * get_asn1_parameters fields are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_des_ecb =
-+	{
-+	NID_des_ecb,
-+	8, 8, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_3des_ecb =
-+	{
-+	NID_des_ede3_ecb,
-+	8, 24, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+
-+static const EVP_CIPHER pk11_aes_128_cbc =
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_cbc =
-+	{
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_cbc =
-+	{
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use IV so that's why set_asn1_parameters and
-+ * get_asn1_parameters are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_aes_128_ecb =
-+	{
-+	NID_aes_128_ecb,
-+	16, 16, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ecb =
-+	{
-+	NID_aes_192_ecb,
-+	16, 24, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ecb =
-+	{
-+	NID_aes_256_ecb,
-+	16, 32, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_128_ctr =
-+	{
-+	NID_aes_128_ctr,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ctr =
-+	{
-+	NID_aes_192_ctr,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ctr =
-+	{
-+	NID_aes_256_ctr,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_bf_cbc =
-+	{
-+	NID_bf_cbc,
-+	8, 16, 8,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1, 16, 0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha224 =
-+	{
-+	NID_sha224,
-+	NID_sha224WithRSAEncryption,
-+	SHA224_DIGEST_LENGTH,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-224 uses the same cblock size as SHA-256 */
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha256 =
-+	{
-+	NID_sha256,
-+	NID_sha256WithRSAEncryption,
-+	SHA256_DIGEST_LENGTH,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha384 =
-+	{
-+	NID_sha384,
-+	NID_sha384WithRSAEncryption,
-+	SHA384_DIGEST_LENGTH,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-384 uses the same cblock size as SHA-512 */
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha512 =
-+	{
-+	NID_sha512,
-+	NID_sha512WithRSAEncryption,
-+	SHA512_DIGEST_LENGTH,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+#ifdef OPENSSL_NO_HW_PK11SO
-+#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
-+#endif
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name =
-+	"PKCS #11 engine support (crypto accelerator)";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * This is a static string constant for the DSO file name and the function
-+ * symbol names to bind to. We set it in the Configure script based on whether
-+ * this is 32 or 64 bit build.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL mytrue = TRUE;
-+static CK_BBOOL myfalse = FALSE;
-+/* Needed in hw_pk11_pub.c as well so that's why it is not static. */
-+CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+	pthread_mutexattr_t attr;
-+
-+	if (pthread_mutexattr_init(&attr) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 100);
-+		return (0);
-+	}
-+
-+#ifdef DEBUG_MUTEX
-+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 101);
-+		return (0);
-+	}
-+#endif
-+
-+	if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(token_lock, &attr);
-+
-+#ifndef OPENSSL_NO_RSA
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], &attr);
-+#endif /* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DSA], &attr);
-+#endif /* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DH] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DH], &attr);
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, &attr);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if (token_lock != NULL)
-+		{
-+		(void) pthread_mutex_destroy(token_lock);
-+		OPENSSL_free(token_lock);
-+		token_lock = NULL;
-+		}
-+
-+#ifndef OPENSSL_NO_RSA
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (find_lock[OP_DSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
-+		OPENSSL_free(find_lock[OP_DSA]);
-+		find_lock[OP_DSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (find_lock[OP_DH] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DH]);
-+		OPENSSL_free(find_lock[OP_DH]);
-+		find_lock[OP_DH] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+#ifndef OPENSSL_NO_RSA
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+#endif	/* OPENSSL_NO_RSA */
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name) ||
-+	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	    !ENGINE_set_digests(e, pk11_engine_digests))
-+		return (0);
-+#ifndef OPENSSL_NO_RSA
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (pk11_have_dsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (pk11_have_dh == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DH(e, PK11_DH()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DH */
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+/*
-+ * Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation.
-+ * Since it is used only once, performance is not a concern.
-+ */
-+#ifndef OPENSSL_NO_RSA
-+	rsa = RSA_PKCS1_SSLeay();
-+	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+	if (pk11_have_recover != CK_TRUE)
-+		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
-+#endif	/* OPENSSL_NO_RSA */
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+#error  "dynamic engine not supported"
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	LOCK_OBJSTORE(OP_DSA);
-+	LOCK_OBJSTORE(OP_DH);
-+	OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+static CK_C_INITIALIZE_ARGS pk11_init_args =
-+	{
-+	NULL_PTR,		/* CreateMutex */
-+	NULL_PTR,		/* DestroyMutex */
-+	NULL_PTR,		/* LockMutex */
-+	NULL_PTR,		/* UnlockMutex */
-+	CKF_OS_LOCKING_OK,	/* flags */
-+	NULL_PTR,		/* pReserved */
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which
-+	 * is called from ENGINE_finish(). However, if there is still
-+	 * at least one existing functional reference to the engine
-+	 * (see engine(3) for more information), pk11_finish() is
-+	 * skipped. For example, this can happen if an application
-+	 * forgets to clear one cipher context. In case of a fork()
-+	 * when the application is finishing the engine so that it can
-+	 * be reinitialized in the child, forgotten functional
-+	 * reference causes pk11_library_initialized to stay 1. In
-+	 * that case we need the PID check so that we properly
-+	 * initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	if (check_hw_mechanisms() == 0)
-+		goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+