merge conflicts trunk
authorchristos <christos@NetBSD.org>
Thu, 26 May 2016 16:49:55 +0000
branchtrunk
changeset 242671 498d3f87a01f
parent 242670 eca9baf9c09f
child 242672 162b47c69ac5
merge conflicts
external/bsd/bind/bind2netbsd
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/Makefile.in
external/bsd/bind/dist/README
external/bsd/bind/dist/acconfig.h
external/bsd/bind/dist/bin/check/named-checkconf.8
external/bsd/bind/dist/bin/check/named-checkconf.c
external/bsd/bind/dist/bin/check/named-checkzone.8
external/bsd/bind/dist/bin/check/named-checkzone.c
external/bsd/bind/dist/bin/confgen/ddns-confgen.8
external/bsd/bind/dist/bin/confgen/rndc-confgen.8
external/bsd/bind/dist/bin/delv/delv.c
external/bsd/bind/dist/bin/dig/dig.1
external/bsd/bind/dist/bin/dig/dig.c
external/bsd/bind/dist/bin/dig/dighost.c
external/bsd/bind/dist/bin/dig/host.1
external/bsd/bind/dist/bin/dig/nslookup.1
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
external/bsd/bind/dist/bin/dnssec/dnssec-settime.8
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.8
external/bsd/bind/dist/bin/named/bind9.xsl.h
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/config.c
external/bsd/bind/dist/bin/named/control.c
external/bsd/bind/dist/bin/named/controlconf.c
external/bsd/bind/dist/bin/named/include/named/log.h
external/bsd/bind/dist/bin/named/include/named/query.h
external/bsd/bind/dist/bin/named/include/named/server.h
external/bsd/bind/dist/bin/named/lwdgrbn.c
external/bsd/bind/dist/bin/named/lwresd.8
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/named.8
external/bsd/bind/dist/bin/named/named.conf.5
external/bsd/bind/dist/bin/named/named.conf.docbook
external/bsd/bind/dist/bin/named/named.conf.html
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/statschannel.c
external/bsd/bind/dist/bin/named/unix/include/named/os.h
external/bsd/bind/dist/bin/named/unix/os.c
external/bsd/bind/dist/bin/named/win32/include/named/os.h
external/bsd/bind/dist/bin/named/win32/os.c
external/bsd/bind/dist/bin/named/xfrout.c
external/bsd/bind/dist/bin/named/zoneconf.c
external/bsd/bind/dist/bin/nsupdate/nsupdate.1
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8ze-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0q-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1l-patch
external/bsd/bind/dist/bin/python/dnssec-checkds.8
external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
external/bsd/bind/dist/bin/rndc/rndc.8
external/bsd/bind/dist/bin/rndc/rndc.conf.5
external/bsd/bind/dist/bin/tests/atomic/t_atomic.c
external/bsd/bind/dist/bin/tests/db_test.c
external/bsd/bind/dist/bin/tests/nsecify.c
external/bsd/bind/dist/bin/tests/rbt_test.c
external/bsd/bind/dist/bin/tests/system/delv/clean.sh
external/bsd/bind/dist/bin/tests/system/delv/ns1/named.conf
external/bsd/bind/dist/bin/tests/system/delv/ns1/root.db
external/bsd/bind/dist/bin/tests/system/delv/ns2/example.db
external/bsd/bind/dist/bin/tests/system/delv/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/delv/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/delv/tests.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/keyless.example.db.in
external/bsd/bind/dist/bin/tests/wire_test.c
external/bsd/bind/dist/bin/tools/arpaname.1
external/bsd/bind/dist/bin/tools/genrandom.8
external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8
external/bsd/bind/dist/bin/tools/named-journalprint.8
external/bsd/bind/dist/bin/tools/nsec3hash.8
external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.h
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/configure
external/bsd/bind/dist/configure.in
external/bsd/bind/dist/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c
external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c
external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c
external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.h
external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/arm/html-fixup.pl
external/bsd/bind/dist/doc/arm/latex-fixup.pl
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.delv.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/doc/misc/options
external/bsd/bind/dist/doc/xsl/isc-docbook-latex-mappings.xml
external/bsd/bind/dist/doc/xsl/isc-docbook-latex.xsl.in
external/bsd/bind/dist/doc/xsl/isc-notes-latex.xsl.in
external/bsd/bind/dist/isc-config.sh.1
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/dns/acache.c
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/cache.c
external/bsd/bind/dist/lib/dns/client.c
external/bsd/bind/dist/lib/dns/db.c
external/bsd/bind/dist/lib/dns/dst_api.c
external/bsd/bind/dist/lib/dns/dst_openssl.h
external/bsd/bind/dist/lib/dns/forward.c
external/bsd/bind/dist/lib/dns/gen.c
external/bsd/bind/dist/lib/dns/include/dns/db.h
external/bsd/bind/dist/lib/dns/include/dns/dbiterator.h
external/bsd/bind/dist/lib/dns/include/dns/forward.h
external/bsd/bind/dist/lib/dns/include/dns/message.h
external/bsd/bind/dist/lib/dns/include/dns/name.h
external/bsd/bind/dist/lib/dns/include/dns/rbt.h
external/bsd/bind/dist/lib/dns/include/dns/view.h
external/bsd/bind/dist/lib/dns/journal.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/name.c
external/bsd/bind/dist/lib/dns/openssl_link.c
external/bsd/bind/dist/lib/dns/openssldh_link.c
external/bsd/bind/dist/lib/dns/openssldsa_link.c
external/bsd/bind/dist/lib/dns/opensslrsa_link.c
external/bsd/bind/dist/lib/dns/rbt.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rcode.c
external/bsd/bind/dist/lib/dns/rdata.c
external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c
external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c
external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c
external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c
external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c
external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.h
external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c
external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c
external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.h
external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c
external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c
external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c
external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c
external/bsd/bind/dist/lib/dns/rdata/generic/key_25.h
external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c
external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c
external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c
external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c
external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c
external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c
external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c
external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c
external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c
external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c
external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c
external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c
external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c
external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c
external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c
external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c
external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c
external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c
external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c
external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c
external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c
external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c
external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c
external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/rootns.c
external/bsd/bind/dist/lib/dns/tests/Makefile.in
external/bsd/bind/dist/lib/dns/tests/dnstest.h
external/bsd/bind/dist/lib/dns/tests/rdata_test.c
external/bsd/bind/dist/lib/dns/tkey.c
external/bsd/bind/dist/lib/dns/update.c
external/bsd/bind/dist/lib/dns/view.c
external/bsd/bind/dist/lib/dns/xfrin.c
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/irs/resconf.c
external/bsd/bind/dist/lib/isc/base32.c
external/bsd/bind/dist/lib/isc/base64.c
external/bsd/bind/dist/lib/isc/buffer.c
external/bsd/bind/dist/lib/isc/commandline.c
external/bsd/bind/dist/lib/isc/hash.c
external/bsd/bind/dist/lib/isc/hex.c
external/bsd/bind/dist/lib/isc/httpd.c
external/bsd/bind/dist/lib/isc/include/isc/assertions.h
external/bsd/bind/dist/lib/isc/include/isc/error.h
external/bsd/bind/dist/lib/isc/include/isc/file.h
external/bsd/bind/dist/lib/isc/include/isc/hash.h
external/bsd/bind/dist/lib/isc/include/isc/magic.h
external/bsd/bind/dist/lib/isc/include/isc/netaddr.h
external/bsd/bind/dist/lib/isc/include/isc/result.h
external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h
external/bsd/bind/dist/lib/isc/include/isc/socket.h
external/bsd/bind/dist/lib/isc/include/isc/util.h
external/bsd/bind/dist/lib/isc/md5.c
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/netaddr.c
external/bsd/bind/dist/lib/isc/result.c
external/bsd/bind/dist/lib/isc/sockaddr.c
external/bsd/bind/dist/lib/isc/stats.c
external/bsd/bind/dist/lib/isc/string.c
external/bsd/bind/dist/lib/isc/task.c
external/bsd/bind/dist/lib/isc/unix/file.c
external/bsd/bind/dist/lib/isc/unix/net.c
external/bsd/bind/dist/lib/isc/unix/socket.c
external/bsd/bind/dist/lib/isc/win32/file.c
external/bsd/bind/dist/lib/isc/win32/include/isc/atomic.h
external/bsd/bind/dist/lib/isc/win32/socket.c
external/bsd/bind/dist/lib/isc/x86_32/include/isc/atomic.h
external/bsd/bind/dist/lib/isc/x86_64/include/isc/atomic.h
external/bsd/bind/dist/lib/isccc/cc.c
external/bsd/bind/dist/lib/isccc/sexpr.c
external/bsd/bind/dist/lib/isccfg/aclconf.c
external/bsd/bind/dist/lib/isccfg/namedconf.c
external/bsd/bind/dist/lib/isccfg/parser.c
external/bsd/bind/dist/lib/lwres/man/lwres.3
external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3
external/bsd/bind/dist/lib/lwres/man/lwres_config.3
external/bsd/bind/dist/lib/lwres/man/lwres_context.3
external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3
external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3
external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3
external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3
external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3
external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3
external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3
external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3
external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3
external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3
external/bsd/bind/dist/lib/lwres/man/lwres_noop.3
external/bsd/bind/dist/lib/lwres/man/lwres_packet.3
external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3
external/bsd/bind/dist/make/rules.in
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
external/bsd/bind/include/config.h
external/bsd/bind/include/dns/code.h
external/bsd/bind/include/dns/enumtype.h
external/bsd/bind/include/dns/rdatastruct.h
external/bsd/bind/include/isc/atomic.h
external/bsd/bind/include/isc/platform.h
--- a/external/bsd/bind/bind2netbsd	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/bind2netbsd	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-#	$NetBSD: bind2netbsd,v 1.3 2015/12/17 04:00:21 christos Exp $
+#	$NetBSD: bind2netbsd,v 1.4 2016/05/26 16:49:55 christos Exp $
 #
 # Copyright (c) 2000 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -38,7 +38,7 @@
 #	$ cd src/external/bsd/bind/dist
 #	$ cvs -d cvs.netbsd.org:/cvsroot import -m "Import bind 9.x.y" src/external/bsd/bind/dist ISC bind-9-x-y
 #	$ cd ../../../../../bind-9.x.y
-#	$ run ./configure
+#	$ run ./configure --enable-fetchlimit --enable-sit --enable-fixed-rrset --enable-querytrace
 #	$ run make
 #	- use the binclude4netbsd to create and import the new headers in
 #	  /usr/src/external/bsd/bind/include
--- a/external/bsd/bind/dist/CHANGES	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/CHANGES	Thu May 26 16:49:55 2016 +0000
@@ -1,10 +1,99 @@
-
-	--- 9.10.3-P4 released ---
+	--- 9.10.4-P1 released ---
+
+4368.	[bug]		Fix a crash when calling "rndc stats" on some
+			Windows builds because some Visual Studio compilers
+			generated crashing code for the "%z" printf()
+			format specifier. [RT #42380]
+
+4366.	[bug]		Address race condition when updating rbtnode bit
+			fields. [RT #42379]
+
+4363.	[port]		win32: Disable explicit triggering UAC when running
+			BINDInstall.
+
+	--- 9.10.4 released ---
+
+	--- 9.10.4rc1 released ---
+
+4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
+
+4346.	[bug]		Fixed a regression introduced in change #4337 which
+			caused signed domains with revoked KSKs to fail
+			validation. [RT #42147]
+
+4345.	[contrib]	perftcpdns mishandled the return values from
+			clock_nanosleep. [RT #42131]
+
+4344.	[port]		Address openssl version differences. [RT #42059]
+
+	--- 9.10.4b3 released ---
+
+4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
+			wasn't a node at the specified name. [RT #41846]
+
+4341.	[bug]		Correct the handling of ECS options with
+			address family 0. [RT #41377]
+
+4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
+			all the required book keeping. [RT #41941]
+
+4337.	[bug]		The previous change exposed a latent flaw in
+			key refresh queries for managed-keys when
+			a cached DNSKEY had TTL 0. [RT #41986]
+
+4336.	[bug]		Don't emit records with zero ttl unless the records
+			were learnt with a zero ttl. [RT #41687]
+
+4335.	[bug]		zone->view could be detached too early. [RT #41942]
+
+4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
+			2001:500:9f::42.
+
+	--- 9.10.4b2 released ---
+
+4332.	[bug]		Windows SIT -> COOKIE configuration support was
+			accidentally back ported to 9.10 breaking existing
+			configurations. [RT #41905]
+
+4331.	[func]		When loading managed signed zones detect if the
+			RRSIG's inception time is in the future and regenerate
+			the RRSIG immediately. [RT #41808]
+
+4330.	[protocol]	Identify the PAD option as "PAD" when printing out
+			a message.
+
+	--- 9.10.4b1 released ---
+
+4329.	[func]		Warn about a common misconfiguration when forwarding
+			RFC 1918 zones. [RT #41441]
+
+4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
+
+4327.	[func]		Log query and depth counters during fetches when
+			querytrace (./configure --enable-querytrace) is
+			enabled (helps in diagnosing).  [RT #41787]
+
+4326.	[protocol]	Add support for AVC. [RT #41819]
+
+4324.	[bug]		When deleting records from a zone database, interior
+			nodes could be left empty but not deleted, damaging
+			search performance afterward. [RT #40997]
+
+4323.	[bug]		Improve HTTP header processing on statschannel.
+			[RT #41674]
 
 4322.	[security]	Duplicate EDNS COOKIE options in a response could
 			trigger an assertion failure. (CVE-2016-2088)
 			[RT #41809]
 
+4321.	[bug]		Zones using mapped files containing out-of-zone data
+			could return SERVFAIL instead of the expected NODATA
+			or NXDOMAIN results. [RT #41596]
+
+4320.	[bug]		Insufficient memory allocation when handling
+			"none" ACL could cause an assertion failure in
+			named when parsing ACL configuration. [RT #41745]
+
 4319.	[security]	Fix resolver assertion failure due to improper
 			DNAME handling when parsing fetch reply messages.
 			(CVE-2016-1286) [RT #41753]
@@ -12,12 +101,85 @@
 4318.	[security]	Malformed control messages can trigger assertions
 			in named and rndc. (CVE-2016-1285) [RT #41666]
 
-	--- 9.10.3-P3 released ---
+4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
+
+4315.	[bug]		Check that configured view class isn't a meta class.
+			[RT #41572].
+
+4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
+			testing tools provided by Nominum, Inc.
+
+4313.	[bug]		Handle ns_client_replace failures in test mode.
+			[RT #41190]
+
+4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
+			was not consistent. [RT #41600]
+
+4311.	[bug]		Prevent "rndc delzone" from being used on
+			response-policy zones. [RT #41593]
+
+4310.	[performance]	Use __builtin_expect() where available to annotate
+			conditions with known behavior. [RT #41411]
+
+4308.	[func]		Added operating system details to "named -V"
+			output. [RT #41452]
+
+4307.	[bug]		"dig +subnet" could send incorrectly-formatted
+			Client Subnet options if the prefix length was
+			not divisible by 8. [RT #45178]
+
+4306.	[maint]		Added a PKCS#11 openssl patch supporting
+			version 1.0.2f [RT #38312]
+
+4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
+			from the zone's apex. [RT #41483]
+
+4304.	[port]		xfer system test failed as 'tail -n +value' is not
+			portable. [RT #41315]
+
+4303.	[bug]		"dig +subnet" was unable to send a prefix length of
+			zero, as it was incorrectly changed to 32 for v4
+			prefixes or 128 for v6 prefixes. In addition to
+			fixing this, "dig +subnet=0" has been added as a
+			short form for 0.0.0.0/0. [RT #41553]
+
+4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
+
+4300.	[cleanup]	Added new querytrace logging. [RT #41155]
+
+4299.	[bug]		Check that exactly totallen bytes are read when
+			reading a RRset from raw files in both single read
+			and incremental modes. [RT #41402]
+
+4298.	[bug]		dns_rpz_add errors in loadzone were not being
+			propagated up the call stack. [RT #41425]
+
+4297.	[test]		Ensure delegations in RPZ zones fail robustly.
+			[RT #41518]
+
+4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
+			could allow incorrect text formatting of EDNS EXPIRE
+			options. [RT #41437]
+
+4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
+			to print the PID. [RT #41513]
+
+4293.	[bug]		Address memory leak on priming query creation failure.
+			[RT #41512]
+
+4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
+
+4289.	[bug]		The server could crash due to memory being used
+			after it was freed if a zone transfer timed out.
+			[RT #41297]
 
 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 			which caused known-bogus servers to be queried
 			anyway. [RT #41321]
 
+4287.	[bug]		Silence an overly noisy log message when message
+			parsing fails. [RT #41374]
+
 4286.	[security]	render_ecs errors were mishandled when printing out
 			a OPT record resulting in a assertion failure.
 			(CVE-2015-8705) [RT #41397]
@@ -25,11 +187,67 @@
 4285.	[security]	Specific APL data could trigger a INSIST.
 			(CVE-2015-8704) [RT #41396]
 
-	--- 9.10.3-P2 released ---
+4284.	[bug]		Some GeoIP options were incorrectly documented
+			using abbreviated forms which were not accepted by
+			named.  The code has been updated to allow both
+			long and abbreviated forms. [RT #41381]
+
+4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
+
+4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
+
+4280.	[performance]	Use optimal message sizes to improve compression
+			in AXFRs. This reduces network traffic. [RT #40996]
+
+4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
+
+4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
+			[RT #41238]
+
+4277.	[performance]	Improve performance of the RBT, the central zone
+			datastructure: The aux hashtable was improved,
+			hash function was updated to perform more
+			uniform mapping, uppernode was added to
+			dns_rbtnode, and other cleanups and performance
+			improvements were made. [RT #41165]
+
+4276.	[protocol]	Add support for SMIMEA. [RT #40513]
+
+4274.	[performance]	Speed up typemap processing from text. [RT #41196]
+
+4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
+			in nsec3_test as it fails with GOST if called multiple
+			times.
+
+4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
+			[RT #41234]
+
+4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
+			[RT #41235]
 
 4270.	[security]	Update allowed OpenSSL versions as named is
 			potentially vulnerable to CVE-2015-3193.
 
+4269.	[bug]		Zones using "map" format master files currently
+			don't work as policy zones.  This limitation has
+			now been documented; attempting to use such zones
+			in "response-policy" statements is now a
+			configuration error.  [RT #38321]
+
+4267.	[test]		Check sdlz error handling. [RT #41142]
+
+4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
+
+4264.	[bug]		Check const of strchr/strrchr assignments match
+			argument's const status. [RT #41150]
+
+4262.	[bug]		Fixed a bug in epoll socket code that caused
+			sockets to not be registered for ready
+			notification in some cases, causing named to not
+			read from or write to them, resulting in what
+			appear to the user as blocked connections.
+			[RT #41067]
+
 4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
 			[RT #40556]
 
@@ -38,10 +256,154 @@
 			triggering a REQUIRE failure when those records
 			were subsequently cached. (CVE-2015-8000) [RT #40987]
 
+4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
+			not break any legitimate rndc commands, but will
+			prevent a rogue rndc query from allocating too
+			much memory. [RT #41073]
+
+4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
+
+4256.	[bug]		Allow rndc command arguments to be quoted so as
+			to allow spaces. [RT #36665]
+
+4254.	[bug]		Address missing lock when getting zone's serial.
+			[RT #41072]
+
 4253.	[security]	Address fetch context reference count handling error
-			on socket error. (CVE-2015-8461) [RT#40945]
-
-	--- 9.10.3-P1 (withdrawn) ---
+			on socket error. (CVE-2015-8461)  [RT#40945]
+
+4248.	[performance]	Add an isc_atomic_storeq() function, use it in
+			stats counters to improve performance.
+			[RT #39972] [RT #39979]
+
+4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
+			defined to report json library version. [RT #41045]
+
+4246.	[test]		Ensure the statschannel system test runs when BIND
+			is not built with libjson. [RT #40944]
+
+4245.	[bug]		Fix statistics version to match against in bind9.xsl.
+			[RT #41039]
+
+4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
+			[RT #41010]
+
+4242.	[bug]		Replace the client if not already replaced when
+			prefetching. [RT #41001]
+
+4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
+			the ARM. [RT #40955]
+
+4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
+
+4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
+			[RT #40947]
+
+4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
+			and dblatex. [RT #40766]
+
+4236.	[performance]	On machines with 2 or more processors (CPU), the
+			default value for the number of UDP listeners
+			has been changed to the number of detected
+			processors minus one. [RT #40761]
+
+4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
+			[RT #40597]
+
+4232.	[contrib]	Address unchecked memory allocation calls in
+			query-loc and zone2ldap. [RT #40789]
+
+4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
+			uninitialized result. [RT #40839]
+
+4229.	[bug]		A variable could be used uninitialized in
+			dns_update_signaturesinc. [RT #40784]
+
+4228.	[bug]		Address race condition in dns_client_destroyrestrans.
+			[RT #40605]
+
+4227.	[bug]		Silence static analysis warnings. [RT #40828]
+
+4226.	[bug]		Address a theoretical shutdown race in
+			zone.c:notify_send_queue(). [RT #38958]
+
+4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
+			shared libraries. [RT #39557]
+
+4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
+			[RT #40583]
+
+4220.	[doc]		Improve documentation for zone-statistics.
+			[RT #36955]
+
+4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
+			EGAIN when these soft error are not retried for
+			isc_socket_send*().
+
+4218.	[bug]		Potential null pointer dereference on out of memory
+			if mmap is not supported. [RT #40777]
+
+4217.	[protocol]	Add support for CSYNC. [RT #40532]
+
+4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
+
+4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
+			failure. [RT #40685]
+
+4214.	[protocol]	Add support for TALINK.  [RT #40544]
+
+4213.	[bug]		Don't reuse a cache across multiple classes.
+			[RT #40205]
+
+4210.	[cleanup]	Silence use after free false positive. [RT #40743]
+
+4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
+
+4208.	[bug]		Address null pointer dereferences on out of memory.
+			[RT #40764]
+
+4207.	[bug]		Handle class mismatches with raw zone files.
+			[RT #40746]
+
+4206.   [bug]		contrib: fixed a possible NULL dereference in
+			DLZ wildcard module. [RT #40745]
+
+4205.	[bug]		'named-checkconf -p' could include unwanted spaces
+			when printing tuples with unset optional fields.
+			[RT #40731]
+
+4204.	[bug]		'dig +trace' failed to lookup the correct type if
+			the initial root NS query was retried. [RT #40296]
+
+4203.	[test]		The rrchecker system test now tests conversion
+			to and from unknown-type format. [RT #40584]
+
+4202.	[bug]		isccc_cc_fromwire() could return an incorrect
+			result. [RT #40614]
+
+4201.	[func]		The default preferred-glue is now the address record
+			type of the transport the query was received
+			over.  [RT #40468]
+
+4200.	[cleanup]	win32: update BINDinstall to be BIND release
+			independent. [RT #38915]
+
+4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
+			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
+
+4198.	[doc]		Add fetch-quota-params, fetches-per-server, and
+			fetches-per-zone to doc/misc/options. [RT #40601]
+
+4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
+			[RT #40603]
+
+4196.	[doc]		Improve how "enum + other" types are documented.
+			[RT #40608]
+
+4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
+
+4194.	[bug]		named-checkconf -p failed to properly print a port
+			range.  [RT #40634]
 
 	--- 9.10.3 released ---
 
@@ -56,7 +418,7 @@
 4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
 			as per RFC 6763. [RT #37889]
 
-4190.	[protocol]	Accept Active Diretory gc._msdcs.<forest> name as
+4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
 			valid with check-names.  <forest> still needs to be
 			LDH. [RT #40399]
 
--- a/external/bsd/bind/dist/Makefile.in	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/Makefile.in	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -19,7 +19,7 @@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_VERSION@
+VERSION=@BIND9_VERSION@
 
 SUBDIRS =	make unit lib bin doc @LIBEXPORT@
 TARGETS =
@@ -33,6 +33,9 @@
 
 @BIND9_MAKE_RULES@
 
+newrr:
+	cd lib/dns; ${MAKE} newrr
+
 bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
 	${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
 
--- a/external/bsd/bind/dist/README	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/README	Thu May 26 16:49:55 2016 +0000
@@ -51,29 +51,21 @@
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-
-BIND 9.10.3-P4
-
-	BIND 9.10.3-P4 is a security release addressing the flaws
-	described in CVE-2016-1285, CVE-2016-1286 and CVE-2016-2088.
-
-BIND 9.10.3-P3
+BIND 9.10.4-P1
 
-	BIND 9.10.3-P3 is a security release addressing the flaws
-	described in CVE-2015-8704 and CVE-2015-8705. It also fixes
-	a serious regression in authoritative server selection that
-	was introduced in BIND 9.10.3.
-
-BIND 9.10.3-P2
+	This version contains tree urgent fixes to BIND 9.10.4:
+	1) Windows installation was failing without manual updating
+	   of BINDinstall's attributes.
+	2) Windows doesn't support the %z printf modifier.
+	3) A race condition was causing instability in the rbt
+	   tree state.
 
-	BIND 9.10.3-P2 is a security release addressing the flaws
-	described in CVE-2015-3193 (OpenSSL), CVE-2015-8000 and
-	CVE-2015-8461.
+BIND 9.10.4
 
-BIND 9.10.3-P1
-
-	BIND 9.10.3-P1 was incomplete and was withdrawn prior to
-	publication.
+	BIND 9.10.4 is a maintenance release and addresses bugs
+	found in BIND 9.10.3 and earlier, as well as the security
+	flaws described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
+	CVE-2015-8705, CVE-2016-1285, CVE-2016-1286, and CVE-2016-2088.
 
 BIND 9.10.3
 
@@ -104,7 +96,7 @@
 	  NOTE: These features are NOT built in by default; use
 	  "configure --enable-fetchlimit" to enable them.
 
-	- Dig now supports sending of arbitary EDNS options by specifying
+	- Dig now supports sending of arbitrary EDNS options by specifying
 	  them on the command line.
 
 BIND 9.10.2
@@ -541,6 +533,8 @@
 	   [tuning]       Changes to built-in configuration defaults
 			  and constants to improve performance
 
+	   [performance]  Other changes to improve server performance
+
 	   [protocol]     Updates to the DNS protocol such as new
 			  RR types
 
--- a/external/bsd/bind/dist/acconfig.h	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/acconfig.h	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: acconfig.h,v 1.8 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: acconfig.h,v 1.9 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -148,3 +148,6 @@
 
 /* Define if threads need PTHREAD_SCOPE_SYSTEM */
 #undef NEED_PTHREAD_SCOPE_SYSTEM
+
+/* Define to 1 if you have the uname library function. */
+#undef HAVE_UNAME
--- a/external/bsd/bind/dist/bin/check/named-checkconf.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named-checkconf.8,v 1.6 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: named-checkconf.8,v 1.7 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,115 +15,131 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: named\-checkconf
+'\" t
+.\"     Title: named-checkconf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 10, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-10
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "NAMED\-CHECKCONF" "8" "January 10, 2014" "BIND9" "BIND9"
+.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-named\-checkconf \- named configuration file syntax checking tool
+named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
-.HP 16
+.HP \w'\fBnamed\-checkconf\fR\ 'u
 \fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-x\fR] [\fB\-z\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a
 \fBnamed\fR
-configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
-\fI/etc/named.conf\fR
-is read by default.
+configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
+/etc/named\&.conf
+is read by default\&.
 .PP
 Note: files that
 \fBnamed\fR
 reads in separate parser contexts, such as
-\fIrndc.key\fR
+rndc\&.key
 and
-\fIbind.keys\fR, are not automatically read by
-\fBnamed\-checkconf\fR. Configuration errors in these files may cause
+bind\&.keys, are not automatically read by
+\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
 \fBnamed\fR
 to fail to run, even if
 \fBnamed\-checkconf\fR
-was successful.
+was successful\&.
 \fBnamed\-checkconf\fR
-can be run on these files explicitly, however.
+can be run on these files explicitly, however\&.
 .SH "OPTIONS"
 .PP
 \-h
 .RS 4
-Print the usage summary and exit.
+Print the usage summary and exit\&.
 .RE
 .PP
 \-t \fIdirectory\fR
 .RS 4
 Chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted named\&.
 .RE
 .PP
 \-v
 .RS 4
 Print the version of the
 \fBnamed\-checkconf\fR
-program and exit.
+program and exit\&.
 .RE
 .PP
 \-p
 .RS 4
 Print out the
-\fInamed.conf\fR
-and included files in canonical form if no errors were detected.
+named\&.conf
+and included files in canonical form if no errors were detected\&.
 .RE
 .PP
 \-x
 .RS 4
-When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks ('?'). This allows the contents of
-\fInamed.conf\fR
-and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data. This option cannot be used without
-\fB\-p\fR.
+When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
+named\&.conf
+and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
+\fB\-p\fR\&.
 .RE
 .PP
 \-z
 .RS 4
 Perform a test load of all master zones found in
-\fInamed.conf\fR.
+named\&.conf\&.
 .RE
 .PP
 \-j
 .RS 4
-When loading a zonefile read the journal if it exists.
+When loading a zonefile read the journal if it exists\&.
 .RE
 .PP
 filename
 .RS 4
-The name of the configuration file to be checked. If not specified, it defaults to
-\fI/etc/named.conf\fR.
+The name of the configuration file to be checked\&. If not specified, it defaults to
+/etc/named\&.conf\&.
 .RE
 .SH "RETURN VALUES"
 .PP
 \fBnamed\-checkconf\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkzone\fR(8),
-BIND 9 Administrator Reference Manual.
+\fBnamed-checkzone\fR(8),
+BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2002 Internet Software Consortium.
+Copyright \(co 2000-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkconf.c,v 1.12 2015/12/17 04:00:40 christos Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.13 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -182,6 +182,7 @@
 	const char *zfile = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *mastersobj = NULL;
+	const cfg_obj_t *inviewobj = NULL;
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
 	const cfg_obj_t *typeobj = NULL;
@@ -213,6 +214,10 @@
 	}
 	maps[i] = NULL;
 
+	cfg_map_get(zoptions, "in-view", &inviewobj);
+	if (inviewobj != NULL)
+		return (ISC_R_SUCCESS);
+
 	cfg_map_get(zoptions, "type", &typeobj);
 	if (typeobj == NULL)
 		return (ISC_R_FAILURE);
@@ -438,15 +443,27 @@
 	return (result);
 }
 
+static isc_result_t
+config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		dns_rdataclass_t *classp)
+{
+	isc_textregion_t r;
+
+	if (!cfg_obj_isstring(classobj)) {
+		*classp = defclass;
+		return (ISC_R_SUCCESS);
+	}
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
+	r.length = strlen(r.base);
+	return (dns_rdataclass_fromtext(classp, &r));
+}
 
 /*% load zones from the configuration */
 static isc_result_t
 load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
 	const cfg_listelt_t *element;
-	const cfg_obj_t *classobj;
 	const cfg_obj_t *views;
 	const cfg_obj_t *vconfig;
-	const char *vclass;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 
@@ -457,17 +474,24 @@
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
+		const cfg_obj_t *classobj;
+		dns_rdataclass_t viewclass;
 		const char *vname;
+		char buf[sizeof("CLASS65535")];
 
-		vclass = "IN";
 		vconfig = cfg_listelt_value(element);
-		if (vconfig != NULL) {
-			classobj = cfg_tuple_get(vconfig, "class");
-			if (cfg_obj_isstring(classobj))
-				vclass = cfg_obj_asstring(classobj);
-		}
+		if (vconfig == NULL)
+			continue;
+
+		classobj = cfg_tuple_get(vconfig, "class");
+		CHECK(config_getclass(classobj, dns_rdataclass_in,
+					 &viewclass));
+		if (dns_rdataclass_ismeta(viewclass))
+			CHECK(ISC_R_FAILURE);
+
+		dns_rdataclass_format(viewclass, buf, sizeof(buf));
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		tresult = configure_view(vclass, vname, config, vconfig, mctx);
+		tresult = configure_view(buf, vname, config, vconfig, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
@@ -477,6 +501,8 @@
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
+
+cleanup:
 	return (result);
 }
 
--- a/external/bsd/bind/dist/bin/check/named-checkzone.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named-checkzone.8,v 1.7 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: named-checkzone.8,v 1.8 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004-2007, 2009-2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,112 +15,127 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: named\-checkzone
+'\" t
+.\"     Title: named-checkzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 19, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "NAMED\-CHECKZONE" "8" "February 19, 2014" "BIND9" "BIND9"
+.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
+named-checkzone, named-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
-.HP 16
+.HP \w'\fBnamed\-checkzone\fR\ 'u
 \fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
-.HP 18
+.HP \w'\fBnamed\-compilezone\fR\ 'u
 \fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
-checks the syntax and integrity of a zone file. It performs the same checks as
+checks the syntax and integrity of a zone file\&. It performs the same checks as
 \fBnamed\fR
-does when loading a zone. This makes
+does when loading a zone\&. This makes
 \fBnamed\-checkzone\fR
-useful for checking zone files before configuring them into a name server.
+useful for checking zone files before configuring them into a name server\&.
 .PP
 \fBnamed\-compilezone\fR
 is similar to
-\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
-\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
+\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
+\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
 \fBnamed\fR
-configuration file.
+configuration file\&.
 .SH "OPTIONS"
 .PP
 \-d
 .RS 4
-Enable debugging.
+Enable debugging\&.
 .RE
 .PP
 \-h
 .RS 4
-Print the usage summary and exit.
+Print the usage summary and exit\&.
 .RE
 .PP
 \-q
 .RS 4
-Quiet mode \- exit code only.
+Quiet mode \- exit code only\&.
 .RE
 .PP
 \-v
 .RS 4
 Print the version of the
 \fBnamed\-checkzone\fR
-program and exit.
+program and exit\&.
 .RE
 .PP
 \-j
 .RS 4
-When loading a zone file, read the journal if it exists. The journal file name is assumed to be the zone file name appended with the string
-\fI.jnl\fR.
+When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
+\&.jnl\&.
 .RE
 .PP
 \-J \fIfilename\fR
 .RS 4
-When loading the zone file read the journal from the given file, if it exists. (Implies \-j.)
+When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Specify the class of the zone. If not specified, "IN" is assumed.
+Specify the class of the zone\&. If not specified, "IN" is assumed\&.
 .RE
 .PP
 \-i \fImode\fR
 .RS 4
-Perform post\-load zone integrity checks. Possible modes are
+Perform post\-load zone integrity checks\&. Possible modes are
 \fB"full"\fR
 (default),
 \fB"full\-sibling"\fR,
 \fB"local"\fR,
 \fB"local\-sibling"\fR
 and
-\fB"none"\fR.
+\fB"none"\fR\&.
 .sp
 Mode
 \fB"full"\fR
-checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
 \fB"local"\fR
-only checks MX records which refer to in\-zone hostnames.
+only checks MX records which refer to in\-zone hostnames\&.
 .sp
 Mode
 \fB"full"\fR
-checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
 \fB"local"\fR
-only checks SRV records which refer to in\-zone hostnames.
+only checks SRV records which refer to in\-zone hostnames\&.
 .sp
 Mode
 \fB"full"\fR
-checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
+checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
 \fB"local"\fR
-only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
+only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
 .sp
 Mode
 \fB"full\-sibling"\fR
@@ -130,26 +145,26 @@
 \fB"full"\fR
 and
 \fB"local"\fR
-respectively.
+respectively\&.
 .sp
 Mode
 \fB"none"\fR
-disables the checks.
+disables the checks\&.
 .RE
 .PP
 \-f \fIformat\fR
 .RS 4
-Specify the format of the zone file. Possible formats are
+Specify the format of the zone file\&. Possible formats are
 \fB"text"\fR
 (default),
 \fB"raw"\fR, and
-\fB"map"\fR.
+\fB"map"\fR\&.
 .RE
 .PP
 \-F \fIformat\fR
 .RS 4
-Specify the format of the output file specified. For
-\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
+Specify the format of the output file specified\&. For
+\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
 .sp
 Possible formats are
 \fB"text"\fR
@@ -157,169 +172,170 @@
 \fB"map"\fR,
 \fB"raw"\fR, and
 \fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
-\fBnamed\fR.
+\fBnamed\fR\&.
 \fB"raw=N"\fR
 specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
-\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1.
+\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
 .RE
 .PP
 \-k \fImode\fR
 .RS 4
 Perform
 \fB"check\-names"\fR
-checks with the specified failure mode. Possible modes are
+checks with the specified failure mode\&. Possible modes are
 \fB"fail"\fR
 (default for
 \fBnamed\-compilezone\fR),
 \fB"warn"\fR
 (default for
 \fBnamed\-checkzone\fR) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-l \fIttl\fR
 .RS 4
-Sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value will cause the zone to be rejected. This is similar to using the
+Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
 \fBmax\-zone\-ttl\fR
 option in
-\fInamed.conf\fR.
+named\&.conf\&.
 .RE
 .PP
 \-L \fIserial\fR
 .RS 4
-When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
+When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
 .RE
 .PP
 \-m \fImode\fR
 .RS 4
-Specify whether MX records should be checked to see if they are addresses. Possible modes are
+Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-M \fImode\fR
 .RS 4
-Check if a MX record refers to a CNAME. Possible modes are
+Check if a MX record refers to a CNAME\&. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-n \fImode\fR
 .RS 4
-Specify whether NS records should be checked to see if they are addresses. Possible modes are
+Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
 \fB"fail"\fR
 (default for
 \fBnamed\-compilezone\fR),
 \fB"warn"\fR
 (default for
 \fBnamed\-checkzone\fR) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-o \fIfilename\fR
 .RS 4
 Write zone output to
-\fIfilename\fR. If
-\fIfilename\fR
+filename\&. If
+filename
 is
-\fI\-\fR
-then write to standard out. This is mandatory for
-\fBnamed\-compilezone\fR.
+\-
+then write to standard out\&. This is mandatory for
+\fBnamed\-compilezone\fR\&.
 .RE
 .PP
 \-r \fImode\fR
 .RS 4
-Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
+Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-s \fIstyle\fR
 .RS 4
-Specify the style of the dumped zone file. Possible styles are
+Specify the style of the dumped zone file\&. Possible styles are
 \fB"full"\fR
 (default) and
-\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
+\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
 \fBnamed\-checkzone\fR
-this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
+this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
 .RE
 .PP
 \-S \fImode\fR
 .RS 4
-Check if a SRV record refers to a CNAME. Possible modes are
+Check if a SRV record refers to a CNAME\&. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-t \fIdirectory\fR
 .RS 4
 Chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted named\&.
 .RE
 .PP
 \-T \fImode\fR
 .RS 4
-Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present. Possible modes are
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
 \fB"warn"\fR
 (default),
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 \-w \fIdirectory\fR
 .RS 4
 chdir to
-\fIdirectory\fR
-so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
-\fInamed.conf\fR.
+directory
+so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
+named\&.conf\&.
 .RE
 .PP
 \-D
 .RS 4
-Dump zone file in canonical format. This is always enabled for
-\fBnamed\-compilezone\fR.
+Dump zone file in canonical format\&. This is always enabled for
+\fBnamed\-compilezone\fR\&.
 .RE
 .PP
 \-W \fImode\fR
 .RS 4
-Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
+Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
 \fB"warn"\fR
 (default) and
-\fB"ignore"\fR.
+\fB"ignore"\fR\&.
 .RE
 .PP
 zonename
 .RS 4
-The domain name of the zone being checked.
+The domain name of the zone being checked\&.
 .RE
 .PP
 filename
 .RS 4
-The name of the zone file.
+The name of the zone file\&.
 .RE
 .SH "RETURN VALUES"
 .PP
 \fBnamed\-checkzone\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
+\fBnamed-checkconf\fR(8),
 RFC 1035,
-BIND 9 Administrator Reference Manual.
+BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009\-2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2002 Internet Software Consortium.
+Copyright \(co 2000-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/check/named-checkzone.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: named-checkzone.c,v 1.8 2015/12/17 04:00:40 christos Exp $	*/
+/*	$NetBSD: named-checkzone.c,v 1.9 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -60,7 +60,7 @@
 dns_zonetype_t zonetype = dns_zone_master;
 static int dumpzone = 0;
 static const char *output_filename;
-static char *prog_name = NULL;
+static const char *prog_name = NULL;
 static const dns_master_style_t *outputstyle = NULL;
 static enum { progmode_check, progmode_compile } progmode;
 
--- a/external/bsd/bind/dist/bin/confgen/ddns-confgen.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/confgen/ddns-confgen.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: ddns-confgen.8,v 1.5 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: ddns-confgen.8,v 1.6 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,41 +14,56 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: ddns\-confgen
+'\" t
+.\"     Title: ddns-confgen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: March 6, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-03-06
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DDNS\-CONFGEN" "8" "March 6, 2014" "BIND9" "BIND9"
+.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-ddns\-confgen \- ddns key generation tool
+ddns-confgen \- ddns key generation tool
 .SH "SYNOPSIS"
-.HP 12
+.HP \w'\fBtsig\-keygen\fR\ 'u
 \fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [name]
-.HP 13
+.HP \w'\fBddns\-confgen\fR\ 'u
 \fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
 .SH "DESCRIPTION"
 .PP
 \fBtsig\-keygen\fR
 and
 \fBddns\-confgen\fR
-are invocation methods for a utility that generates keys for use in TSIG signing. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
+are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
 \fBrndc\fR
-command channel.
+command channel\&.
 .PP
 When run as
-\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key. If no name is specified, the default is
-\fBtsig\-key\fR.
+\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
+\fBtsig\-key\fR\&.
 .PP
 When run as
 \fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
@@ -57,34 +72,34 @@
 \fBnamed\fR
 when setting up dynamic DNS, including an example
 \fBupdate\-policy\fR
-statement. (This usage similar to the
+statement\&. (This usage similar to the
 \fBrndc\-confgen\fR
-command for setting up command channel security.)
+command for setting up command channel security\&.)
 .PP
 Note that
 \fBnamed\fR
 itself can configure a local DDNS key for use with
 \fBnsupdate \-l\fR: it does this when a zone is configured with
-\fBupdate\-policy local;\fR.
+\fBupdate\-policy local;\fR\&.
 \fBddns\-confgen\fR
 is only needed when a more elaborate configuration is required: for instance, if
 \fBnsupdate\fR
-is to be used from a remote system.
+is to be used from a remote system\&.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256. Options are case\-insensitive, and the "hmac\-" prefix may be omitted.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
 .RE
 .PP
 \-h
 .RS 4
-Prints a short summary of options and arguments.
+Prints a short summary of options and arguments\&.
 .RE
 .PP
 \-k \fIkeyname\fR
 .RS 4
-Specifies the key name of the DDNS authentication key. The default is
+Specifies the key name of the DDNS authentication key\&. The default is
 \fBddns\-key\fR
 when neither the
 \fB\-s\fR
@@ -92,62 +107,63 @@
 \fB\-z\fR
 option is specified; otherwise, the default is
 \fBddns\-key\fR
-as a separate label followed by the argument of the option, e.g.,
-\fBddns\-key.example.com.\fR
-The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
+as a separate label followed by the argument of the option, e\&.g\&.,
+\fBddns\-key\&.example\&.com\&.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
 .RE
 .PP
 \-q
 .RS 4
 (\fBddns\-confgen\fR
-only.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
-\fBtsig\-keygen\fR.
+only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
+\fBtsig\-keygen\fR\&.
 .RE
 .PP
 \-r \fIrandomfile\fR
 .RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
+Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&.
 .RE
 .PP
 \-s \fIname\fR
 .RS 4
 (\fBddns\-confgen\fR
-only.) Generate configuration example to allow dynamic updates of a single hostname. The example
-\fBnamed.conf\fR
+only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
+\fBnamed\&.conf\fR
 text shows how to set an update policy for the specified
 \fIname\fR
-using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
+using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
 \fB\-z\fR
-option.
+option\&.
 .RE
 .PP
 \-z \fIzone\fR
 .RS 4
 (\fBddns\-confgen\fR
-only.) Generate configuration example to allow dynamic updates of a zone: The example
-\fBnamed.conf\fR
+only\&.) Generate configuration example to allow dynamic updates of a zone: The example
+\fBnamed\&.conf\fR
 text shows how to set an update policy for the specified
 \fIzone\fR
 using the "zonesub" nametype, allowing updates to all subdomain names within that
-\fIzone\fR. This option cannot be used with the
+\fIzone\fR\&. This option cannot be used with the
 \fB\-s\fR
-option.
+option\&.
 .RE
 .SH "SEE ALSO"
 .PP
 \fBnsupdate\fR(1),
 \fBnamed.conf\fR(5),
 \fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
+BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/confgen/rndc-confgen.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/confgen/rndc-confgen.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: rndc-confgen.8,v 1.6 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: rndc-confgen.8,v 1.7 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,58 +15,73 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: rndc\-confgen
+'\" t
+.\"     Title: rndc-confgen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: March 14, 2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2013-03-14
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "RNDC\-CONFGEN" "8" "March 14, 2013" "BIND9" "BIND9"
+.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-rndc\-confgen \- rndc key generation tool
+rndc-confgen \- rndc key generation tool
 .SH "SYNOPSIS"
-.HP 13
+.HP \w'\fBrndc\-confgen\fR\ 'u
 \fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBrndc\-confgen\fR
 generates configuration files for
-\fBrndc\fR. It can be used as a convenient alternative to writing the
-\fIrndc.conf\fR
+\fBrndc\fR\&. It can be used as a convenient alternative to writing the
+rndc\&.conf
 file and the corresponding
 \fBcontrols\fR
 and
 \fBkey\fR
 statements in
-\fInamed.conf\fR
-by hand. Alternatively, it can be run with the
+named\&.conf
+by hand\&. Alternatively, it can be run with the
 \fB\-a\fR
 option to set up a
-\fIrndc.key\fR
+rndc\&.key
 file and avoid the need for a
-\fIrndc.conf\fR
+rndc\&.conf
 file and a
 \fBcontrols\fR
-statement altogether.
+statement altogether\&.
 .SH "OPTIONS"
 .PP
 \-a
 .RS 4
 Do automatic
 \fBrndc\fR
-configuration. This creates a file
-\fIrndc.key\fR
+configuration\&. This creates a file
+rndc\&.key
 in
-\fI/etc\fR
+/etc
 (or whatever
 \fIsysconfdir\fR
 was specified as when
@@ -75,13 +90,13 @@
 \fBrndc\fR
 and
 \fBnamed\fR
-on startup. The
-\fIrndc.key\fR
+on startup\&. The
+rndc\&.key
 file defines a default command channel and authentication key allowing
 \fBrndc\fR
 to communicate with
 \fBnamed\fR
-on the local host with no further configuration.
+on the local host with no further configuration\&.
 .sp
 Running
 \fBrndc\-confgen \-a\fR
@@ -89,8 +104,8 @@
 \fBrndc\fR
 to be used as drop\-in replacements for BIND 8 and
 \fBndc\fR, with no changes to the existing BIND 8
-\fInamed.conf\fR
-file.
+named\&.conf
+file\&.
 .sp
 If a more elaborate configuration than that generated by
 \fBrndc\-confgen \-a\fR
@@ -99,20 +114,20 @@
 without the
 \fB\-a\fR
 option and set up a
-\fIrndc.conf\fR
+rndc\&.conf
 and
-\fInamed.conf\fR
-as directed.
+named\&.conf
+as directed\&.
 .RE
 .PP
 \-A \fIalgorithm\fR
 .RS 4
-Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-md5.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5\&.
 .RE
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size.
+Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
 .RE
 .PP
 \-c \fIkeyfile\fR
@@ -120,19 +135,19 @@
 Used with the
 \fB\-a\fR
 option to specify an alternate location for
-\fIrndc.key\fR.
+rndc\&.key\&.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR.
+\fBrndc\-confgen\fR\&.
 .RE
 .PP
 \-k \fIkeyname\fR
 .RS 4
-Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
-\fBrndc\-key\fR.
+Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
+\fBrndc\-key\fR\&.
 .RE
 .PP
 \-p \fIport\fR
@@ -140,18 +155,18 @@
 Specifies the command channel port where
 \fBnamed\fR
 listens for connections from
-\fBrndc\fR. The default is 953.
+\fBrndc\fR\&. The default is 953\&.
 .RE
 .PP
 \-r \fIrandomfile\fR
 .RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
+Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&.
 .RE
 .PP
 \-s \fIaddress\fR
@@ -159,7 +174,7 @@
 Specifies the IP address where
 \fBnamed\fR
 listens for command channel connections from
-\fBrndc\fR. The default is the loopback address 127.0.0.1.
+\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
 .RE
 .PP
 \-t \fIchrootdir\fR
@@ -168,10 +183,10 @@
 \fB\-a\fR
 option to specify a directory where
 \fBnamed\fR
-will run chrooted. An additional copy of the
-\fIrndc.key\fR
+will run chrooted\&. An additional copy of the
+rndc\&.key
 will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR.
+\fBnamed\fR\&.
 .RE
 .PP
 \-u \fIuser\fR
@@ -179,10 +194,10 @@
 Used with the
 \fB\-a\fR
 option to set the owner of the
-\fIrndc.key\fR
-file generated. If
+rndc\&.key
+file generated\&. If
 \fB\-t\fR
-is also specified only the file in the chroot area has its owner changed.
+is also specified only the file in the chroot area has its owner changed\&.
 .RE
 .SH "EXAMPLES"
 .PP
@@ -193,13 +208,13 @@
 \fBrndc\-confgen \-a\fR
 .PP
 To print a sample
-\fIrndc.conf\fR
+rndc\&.conf
 file and corresponding
 \fBcontrols\fR
 and
 \fBkey\fR
 statements to be manually inserted into
-\fInamed.conf\fR, run
+named\&.conf, run
 .PP
 \fBrndc\-confgen\fR
 .SH "SEE ALSO"
@@ -207,12 +222,13 @@
 \fBrndc\fR(8),
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
+BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004, 2005, 2007, 2009, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/delv/delv.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/delv/delv.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: delv.c,v 1.4 2015/07/08 17:28:54 christos Exp $	*/
+/*	$NetBSD: delv.c,v 1.5 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
  * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
@@ -169,7 +169,8 @@
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
+"                 -c class            (option included for compatibility;\n"
+"                                      only IN is supported)\n"
 "                 -4                  (use IPv4 query transport only)\n"
 "                 -6                  (use IPv6 query transport only)\n"
 "                 -i                  (disable DNSSEC validation)\n"
@@ -453,8 +454,8 @@
 				dns_rdataset_current(rdataset, &rdata);
 				result = dns_rdata_tofmttext(&rdata,
 							     dns_rootname,
-							     styleflags,
-							     0, 60, " ",
+							     styleflags, 0,
+							     splitwidth, " ",
 							     &target);
 				if (result != ISC_R_SUCCESS)
 					break;
--- a/external/bsd/bind/dist/bin/dig/dig.1	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.1	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dig.1,v 1.11 2015/12/17 04:00:40 christos Exp $
+.\"	$NetBSD: dig.1,v 1.12 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,145 +15,164 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
+'\" t
 .\"     Title: dig
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 19, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DIG" "1" "February 19, 2014" "BIND9" "BIND9"
+.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
-.HP 4
+.HP \w'\fBdig\fR\ 'u
 \fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
-.HP 4
+.HP \w'\fBdig\fR\ 'u
 \fBdig\fR [\fB\-h\fR]
-.HP 4
+.HP \w'\fBdig\fR\ 'u
 \fBdig\fR [global\-queryopt...] [query...]
 .SH "DESCRIPTION"
 .PP
 \fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
+(domain information groper) is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
 \fBdig\fR
-to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
-\fBdig\fR.
+to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
+\fBdig\fR\&.
 .PP
 Although
 \fBdig\fR
-is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
+is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
 \fB\-h\fR
-option is given. Unlike earlier versions, the BIND 9 implementation of
+option is given\&. Unlike earlier versions, the BIND 9 implementation of
 \fBdig\fR
-allows multiple lookups to be issued from the command line.
+allows multiple lookups to be issued from the command line\&.
 .PP
 Unless it is told to query a specific name server,
 \fBdig\fR
 will try each of the servers listed in
-\fI/etc/resolv.conf\fR. If no usable server addresses are found,
+/etc/resolv\&.conf\&. If no usable server addresses are found,
 \fBdig\fR
-will send the query to the local host.
+will send the query to the local host\&.
 .PP
 When no command line arguments or options are given,
 \fBdig\fR
-will perform an NS query for "." (the root).
+will perform an NS query for "\&." (the root)\&.
 .PP
 It is possible to set per\-user defaults for
 \fBdig\fR
 via
-\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
 .PP
-The IN and CH class names overlap with the IN and CH top level domain names. Either use the
+The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
 \fB\-t\fR
 and
 \fB\-c\fR
 options to specify the type and class, use the
 \fB\-q\fR
-the specify the domain name, or use "IN." and "CH." when looking up these top level domains.
+the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
 .SH "SIMPLE USAGE"
 .PP
 A typical invocation of
 \fBdig\fR
 looks like:
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
  dig @server name type 
 .fi
+.if n \{\
 .RE
+.\}
 .sp
 where:
 .PP
 \fBserver\fR
 .RS 4
-is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
+is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
 \fIserver\fR
 argument is a hostname,
 \fBdig\fR
-resolves that name before querying that name server.
+resolves that name before querying that name server\&.
 .sp
 If no
 \fIserver\fR
 argument is provided,
 \fBdig\fR
 consults
-\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
+/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
 \fB\-4\fR
 or
 \fB\-6\fR
-options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
+options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
 \fBdig\fR
-will send the query to the local host. The reply from the name server that responds is displayed.
+will send the query to the local host\&. The reply from the name server that responds is displayed\&.
 .RE
 .PP
 \fBname\fR
 .RS 4
-is the name of the resource record that is to be looked up.
+is the name of the resource record that is to be looked up\&.
 .RE
 .PP
 \fBtype\fR
 .RS 4
-indicates what type of query is required \(em ANY, A, MX, SIG, etc.
+indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
 \fItype\fR
-can be any valid query type. If no
+can be any valid query type\&. If no
 \fItype\fR
 argument is supplied,
 \fBdig\fR
-will perform a lookup for an A record.
+will perform a lookup for an A record\&.
 .RE
 .SH "OPTIONS"
 .PP
 \-4
 .RS 4
-Use IPv4 only.
+Use IPv4 only\&.
 .RE
 .PP
 \-6
 .RS 4
-Use IPv6 only.
+Use IPv6 only\&.
 .RE
 .PP
 \-b \fIaddress\fR\fI[#port]\fR
 .RS 4
-Set the source IP address of the query. The
+Set the source IP address of the query\&. The
 \fIaddress\fR
-must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Set the query class. The default
+Set the query class\&. The default
 \fIclass\fR
-is IN; other classes are HS for Hesiod records or CH for Chaosnet records.
+is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
 .RE
 .PP
 \-f \fIfile\fR
@@ -161,88 +180,88 @@
 Batch mode:
 \fBdig\fR
 reads a list of lookup requests to process from the given
-\fIfile\fR. Each line in the file should be organized in the same way they would be presented as queries to
+\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
 \fBdig\fR
-using the command\-line interface.
+using the command\-line interface\&.
 .RE
 .PP
 \-i
 .RS 4
-Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted.
+Do reverse IPv6 lookups using the obsolete RFC1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC2874) are not attempted\&.
 .RE
 .PP
 \-k \fIkeyfile\fR
 .RS 4
-Sign queries using TSIG using a key read from the given file. Key files can be generated using
-\fBtsig\-keygen\fR(8). When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
+Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
+\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
+\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
 \fBkey\fR
 and
 \fBserver\fR
 statements in
-\fInamed.conf\fR.
+named\&.conf\&.
 .RE
 .PP
 \-m
 .RS 4
-Enable memory usage debugging.
+Enable memory usage debugging\&.
 .RE
 .PP
 \-p \fIport\fR
 .RS 4
-Send the query to a non\-standard port on the server, instead of the defaut port 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
+Send the query to a non\-standard port on the server, instead of the defaut port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
 .RE
 .PP
 \-q \fIname\fR
 .RS 4
-The domain name to query. This is useful to distinguish the
+The domain name to query\&. This is useful to distinguish the
 \fIname\fR
-from other arguments.
+from other arguments\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
+The resource record type to query\&. It can be any valid query type which is supported in BIND 9\&. The default query type is "A", unless the
 \fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the
+option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
 \fItype\fR
 to
-ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
-\fIN\fR.
+ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
+\fIN\fR\&.
 .RE
 .PP
 \-v
 .RS 4
-Print the version number and exit.
+Print the version number and exit\&.
 .RE
 .PP
 \-x \fIaddr\fR
 .RS 4
-Simplified reverse lookups, for mapping addresses to names. The
+Simplified reverse lookups, for mapping addresses to names\&. The
 \fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When the
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
 \fB\-x\fR
 is used, there is no need to provide the
 \fIname\fR,
 \fIclass\fR
 and
 \fItype\fR
-arguments.
+arguments\&.
 \fBdig\fR
 automatically performs a lookup for a name like
-94.2.0.192.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain (but see also the
+94\&.2\&.0\&.192\&.in\-addr\&.arpa
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
 \fB\-i\fR
-option).
+option)\&.
 .RE
 .PP
 \-y \fI[hmac:]\fR\fIkeyname:secret\fR
 .RS 4
-Sign queries using TSIG with the given authentication key.
+Sign queries using TSIG with the given authentication key\&.
 \fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
-is the base64 encoded shared secret.
+is the base64 encoded shared secret\&.
 \fIhmac\fR
 is the name of the key algorithm; valid choices are
 hmac\-md5,
@@ -250,10 +269,10 @@
 hmac\-sha224,
 hmac\-sha256,
 hmac\-sha384, or
-hmac\-sha512. If
+hmac\-sha512\&. If
 \fIhmac\fR
 is not specified, the default is
-hmac\-md5.
+hmac\-md5\&.
 .sp
 NOTE: You should use the
 \fB\-k\fR
@@ -261,96 +280,96 @@
 \fB\-y\fR
 option, because with
 \fB\-y\fR
-the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
+the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
 \fBps\fR(1)
-or in a history file maintained by the user's shell.
+or in a history file maintained by the user\*(Aqs shell\&.
 .RE
 .SH "QUERY OPTIONS"
 .PP
 \fBdig\fR
-provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
+provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
 .PP
-Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
+Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
 no
-to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
+to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
+\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
 +cd
 is equivalent to
-+cdflag. The query options are:
++cdflag\&. The query options are:
 .PP
 \fB+[no]aaflag\fR
 .RS 4
 A synonym for
-\fI+[no]aaonly\fR.
+\fI+[no]aaonly\fR\&.
 .RE
 .PP
 \fB+[no]aaonly\fR
 .RS 4
-Sets the "aa" flag in the query.
+Sets the "aa" flag in the query\&.
 .RE
 .PP
 \fB+[no]additional\fR
 .RS 4
-Display [do not display] the additional section of a reply. The default is to display it.
+Display [do not display] the additional section of a reply\&. The default is to display it\&.
 .RE
 .PP
 \fB+[no]adflag\fR
 .RS 4
-Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default.
+Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
 .RE
 .PP
 \fB+[no]all\fR
 .RS 4
-Set or clear all display flags.
+Set or clear all display flags\&.
 .RE
 .PP
 \fB+[no]answer\fR
 .RS 4
-Display [do not display] the answer section of a reply. The default is to display it.
+Display [do not display] the answer section of a reply\&. The default is to display it\&.
 .RE
 .PP
 \fB+[no]authority\fR
 .RS 4
-Display [do not display] the authority section of a reply. The default is to display it.
+Display [do not display] the authority section of a reply\&. The default is to display it\&.
 .RE
 .PP
 \fB+[no]besteffort\fR
 .RS 4
-Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
+Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
 .RE
 .PP
 \fB+bufsize=B\fR
 .RS 4
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
+bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
 .RE
 .PP
 \fB+[no]cdflag\fR
 .RS 4
-Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
+Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
 .RE
 .PP
 \fB+[no]class\fR
 .RS 4
-Display [do not display] the CLASS when printing the record.
+Display [do not display] the CLASS when printing the record\&.
 .RE
 .PP
 \fB+[no]cmd\fR
 .RS 4
 Toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
-and the query options that have been applied. This comment is printed by default.
+and the query options that have been applied\&. This comment is printed by default\&.
 .RE
 .PP
 \fB+[no]comments\fR
 .RS 4
-Toggle the display of comment lines in the output. The default is to print comments.
+Toggle the display of comment lines in the output\&. The default is to print comments\&.
 .RE
 .PP
 \fB+[no]crypto\fR
 .RS 4
-Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]".
+Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
 .RE
 .PP
 \fB+[no]defname\fR
@@ -361,7 +380,7 @@
 .PP
 \fB+[no]dnssec\fR
 .RS 4
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
 .RE
 .PP
 \fB+domain=somename\fR
@@ -370,26 +389,26 @@
 \fIsomename\fR, as if specified in a
 \fBdomain\fR
 directive in
-\fI/etc/resolv.conf\fR, and enable search list processing as if the
+/etc/resolv\&.conf, and enable search list processing as if the
 \fI+search\fR
-option were given.
+option were given\&.
 .RE
 .PP
 \fB+[no]edns[=#]\fR
 .RS 4
-Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
+Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
 \fB+noedns\fR
-clears the remembered EDNS version. EDNS is set to 0 by default.
+clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
 .RE
 .PP
 \fB+[no]ednsflags[=#]\fR
 .RS 4
-Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set.
+Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
 .RE
 .PP
 \fB+[no]ednsnegotiation\fR
 .RS 4
-Enable / disable EDNS version negotiation. By default EDNS version negotiation is enabled.
+Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
 .RE
 .PP
 \fB+[no]ednsopt[=code[:value]]\fR
@@ -398,44 +417,44 @@
 \fBcode\fR
 and optionally payload of
 \fBvalue\fR
-as a hexadecimal string.
+as a hexadecimal string\&.
 \fB+noednsopt\fR
-clears the EDNS options to to be sent.
+clears the EDNS options to to be sent\&.
 .RE
 .PP
 \fB+[no]expire\fR
 .RS 4
-Send an EDNS Expire option.
+Send an EDNS Expire option\&.
 .RE
 .PP
 \fB+[no]fail\fR
 .RS 4
-Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
+Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
 .RE
 .PP
 \fB+[no]identify\fR
 .RS 4
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
-option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
+option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
 .RE
 .PP
 \fB+[no]ignore\fR
 .RS 4
-Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
+Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
 .RE
 .PP
 \fB+[no]keepopen\fR
 .RS 4
-Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup. The default is
-\fB+nokeepopen\fR.
+Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
+\fB+nokeepopen\fR\&.
 .RE
 .PP
 \fB+[no]multiline\fR
 .RS 4
-Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
+Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
-output.
+output\&.
 .RE
 .PP
 \fB+ndots=D\fR
@@ -444,112 +463,112 @@
 \fIname\fR
 to
 \fID\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+for it to be considered absolute\&. The default value is that defined using the ndots statement in
+/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
 \fBsearch\fR
 or
 \fBdomain\fR
 directive in
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 if
 \fB+search\fR
-is set.
+is set\&.
 .RE
 .PP
 \fB+[no]nsid\fR
 .RS 4
-Include an EDNS name server ID request when sending a query.
+Include an EDNS name server ID request when sending a query\&.
 .RE
 .PP
 \fB+[no]nssearch\fR
 .RS 4
 When this option is set,
 \fBdig\fR
-attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
+attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&.
 .RE
 .PP
 \fB+[no]onesoa\fR
 .RS 4
-Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
+Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
 .RE
 .PP
 \fB+[no]opcode=value\fR
 .RS 4
-Set [restore] the DNS message opcode to the specified value. The default value is QUERY (0).
+Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
 .RE
 .PP
 \fB+[no]qr\fR
 .RS 4
-Print [do not print] the query as it is sent. By default, the query is not printed.
+Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
 .RE
 .PP
 \fB+[no]question\fR
 .RS 4
-Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
+Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
 .RE
 .PP
 \fB+[no]rdflag\fR
 .RS 4
 A synonym for
-\fI+[no]recurse\fR.
+\fI+[no]recurse\fR\&.
 .RE
 .PP
 \fB+[no]recurse\fR
 .RS 4
-Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
+Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries. Recursion is automatically disabled when the
+normally sends recursive queries\&. Recursion is automatically disabled when the
 \fI+nssearch\fR
 or
 \fI+trace\fR
-query options are used.
+query options are used\&.
 .RE
 .PP
 \fB+retry=T\fR
 .RS 4
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
-instead of the default, 2. Unlike
-\fI+tries\fR, this does not include the initial query.
+instead of the default, 2\&. Unlike
+\fI+tries\fR, this does not include the initial query\&.
 .RE
 .PP
 \fB+[no]rrcomments\fR
 .RS 4
-Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active.
+Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
 .RE
 .PP
 \fB+[no]search\fR
 .RS 4
 Use [do not use] the search list defined by the searchlist or domain directive in
-\fIresolv.conf\fR
-(if any). The search list is not used by default.
+resolv\&.conf
+(if any)\&. The search list is not used by default\&.
 .sp
-\'ndots' from
-\fIresolv.conf\fR
+\*(Aqndots\*(Aq from
+resolv\&.conf
 (default 1) which may be overridden by
 \fI+ndots\fR
-determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.
+determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
 .RE
 .PP
 \fB+[no]short\fR
 .RS 4
-Provide a terse answer. The default is to print the answer in a verbose form.
+Provide a terse answer\&. The default is to print the answer in a verbose form\&.
 .RE
 .PP
 \fB+[no]showsearch\fR
 .RS 4
-Perform [do not perform] a search showing intermediate results.
+Perform [do not perform] a search showing intermediate results\&.
 .RE
 .PP
 \fB+[no]sigchase\fR
 .RS 4
-Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
+Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
 .RE
 .PP
 \fB+[no]sit\fR\fB[=####]\fR
 .RS 4
-Send a Source Identity Token EDNS option, with optional value. Replaying a SIT from a previous response will allow the server to identify a previous client. The default is
-\fB+nosit\fR. Currently using experimental value 65001 for the option code.
+Send a Source Identity Token EDNS option, with optional value\&. Replaying a SIT from a previous response will allow the server to identify a previous client\&. The default is
+\fB+nosit\fR\&. Currently using experimental value 65001 for the option code\&.
 .RE
 .PP
 \fB+split=W\fR
@@ -558,91 +577,97 @@
 \fIW\fR
 characters (where
 \fIW\fR
-is rounded up to the nearest multiple of 4).
+is rounded up to the nearest multiple of 4)\&.
 \fI+nosplit\fR
 or
 \fI+split=0\fR
-causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
+causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
 .RE
 .PP
 \fB+[no]stats\fR
 .RS 4
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
+This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
 .RE
 .PP
-\fB+[no]subnet=addr/prefix\fR
+\fB+[no]subnet=addr[/prefix\-length]\fR
 .RS 4
-Send an EDNS Client Subnet option with the specified IP address or network prefix.
+Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
+.sp
+\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
+\fBdig +subnet=0\fR
+for short, sends an EDNS client\-subnet option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
+\fInot\fR
+be used when resolving this query\&.
 .RE
 .PP
 \fB+[no]tcp\fR
 .RS 4
-Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an
+Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless an
 ixfr=N
-query is requested, in which case the default is TCP. AXFR queries always use TCP.
+query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
 .RE
 .PP
 \fB+time=T\fR
 .RS 4
 Sets the timeout for a query to
 \fIT\fR
-seconds. The default timeout is 5 seconds. An attempt to set
+seconds\&. The default timeout is 5 seconds\&. An attempt to set
 \fIT\fR
-to less than 1 will result in a query timeout of 1 second being applied.
+to less than 1 will result in a query timeout of 1 second being applied\&.
 .RE
 .PP
 \fB+[no]topdown\fR
 .RS 4
-When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
+When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
 .RE
 .PP
 \fB+[no]trace\fR
 .RS 4
-Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
+Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
 \fBdig\fR
-makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
+makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
 .sp
-If @server is also specified, it affects only the initial query for the root zone name servers.
+If @server is also specified, it affects only the initial query for the root zone name servers\&.
 .sp
 \fB+dnssec\fR
-is also set when +trace is set to better emulate the default queries from a nameserver.
+is also set when +trace is set to better emulate the default queries from a nameserver\&.
 .RE
 .PP
 \fB+tries=T\fR
 .RS 4
 Sets the number of times to try UDP queries to server to
 \fIT\fR
-instead of the default, 3. If
+instead of the default, 3\&. If
 \fIT\fR
-is less than or equal to zero, the number of tries is silently rounded up to 1.
+is less than or equal to zero, the number of tries is silently rounded up to 1\&.
 .RE
 .PP
 \fB+trusted\-key=####\fR
 .RS 4
 Specifies a file containing trusted keys to be used with
-\fB+sigchase\fR. Each DNSKEY record must be on its own line.
+\fB+sigchase\fR\&. Each DNSKEY record must be on its own line\&.
 .sp
 If not specified,
 \fBdig\fR
 will look for
-\fI/etc/trusted\-key.key\fR
+/etc/trusted\-key\&.key
 then
-\fItrusted\-key.key\fR
-in the current directory.
+trusted\-key\&.key
+in the current directory\&.
 .sp
-Requires dig be compiled with \-DDIG_SIGCHASE.
+Requires dig be compiled with \-DDIG_SIGCHASE\&.
 .RE
 .PP
 \fB+[no]ttlid\fR
 .RS 4
-Display [do not display] the TTL when printing the record.
+Display [do not display] the TTL when printing the record\&.
 .RE
 .PP
 \fB+[no]vc\fR
 .RS 4
-Use [do not use] TCP when querying name servers. This alternate syntax to
+Use [do not use] TCP when querying name servers\&. This alternate syntax to
 \fI+[no]tcp\fR
-is provided for backwards compatibility. The "vc" stands for "virtual circuit".
+is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
 .RE
 .SH "MULTIPLE QUERIES"
 .PP
@@ -650,63 +675,71 @@
 \fBdig \fR
 supports specifying multiple queries on the command line (in addition to supporting the
 \fB\-f\fR
-batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
+batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
 .PP
 In this case, each
 \fIquery\fR
-argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
+argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
 .PP
-A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
+A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except the
 \fB+[no]cmd\fR
-option) can be overridden by a query\-specific set of query options. For example:
+option) can be overridden by a query\-specific set of query options\&. For example:
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
-dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
+dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
 .fi
+.if n \{\
 .RE
+.\}
 .sp
 shows how
 \fBdig\fR
 could be used from the command line to make three lookups: an ANY query for
-www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.org. A global query option of
+www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
+isc\&.org\&. A global query option of
 \fI+qr\fR
 is applied, so that
 \fBdig\fR
-shows the initial query it made for each lookup. The final query has a local query option of
+shows the initial query it made for each lookup\&. The final query has a local query option of
 \fI+noqr\fR
 which means that
 \fBdig\fR
 will not print the initial query when it looks up the NS records for
-isc.org.
+isc\&.org\&.
 .SH "IDN SUPPORT"
 .PP
 If
 \fBdig\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBdig\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
-environment variable. The IDN support is disabled if the variable is set when
+environment variable\&. The IDN support is disabled if the variable is set when
 \fBdig\fR
-runs.
+runs\&.
 .SH "FILES"
 .PP
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 .PP
-\fI${HOME}/.digrc\fR
+${HOME}/\&.digrc
 .SH "SEE ALSO"
 .PP
 \fBhost\fR(1),
 \fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8),
-RFC1035.
+\fBdnssec-keygen\fR(8),
+RFC1035\&.
 .SH "BUGS"
 .PP
-There are probably too many query options.
+There are probably too many query options\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2003 Internet Software Consortium.
+Copyright \(co 2000-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/dig.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dig.c,v 1.11 2015/12/17 04:00:40 christos Exp $	*/
+/*	$NetBSD: dig.c,v 1.12 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -72,10 +72,12 @@
 static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
 	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
-	onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE,
-	nocrypto = ISC_FALSE;
+	onesoa = ISC_FALSE, use_usec = ISC_FALSE, nocrypto = ISC_FALSE;
 static isc_uint32_t splitwidth = 0xffffffff;
 
+/*% rrcomments are neither explicitly enabled nor disabled by default */
+static int rrcomments = 0;
+
 /*% opcode text */
 static const char * const opcodetext[] = {
 	"QUERY",
@@ -216,7 +218,7 @@
 "                 +[no]nsid           (Request Name Server ID)\n"
 "                 +[no]nssearch       (Search all authoritative nameservers)\n"
 "                 +[no]onesoa         (AXFR prints only one soa record)\n"
-"                 +[no]opcode=[###]   (Set the opcode of the request)\n"
+"                 +[no]opcode=###     (Set the opcode of the request)\n"
 "                 +[no]qr             (Print question before sending)\n"
 "                 +[no]question       (Control display of question section)\n"
 "                 +[no]recurse        (Recursive mode)\n"
@@ -346,7 +348,8 @@
 		ADD_STRING(buf, " ");
 	}
 
-	if (rrcomments)
+	/* Turn on rrcomments if explicitly enabled */
+	if (rrcomments > 0)
 		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	if (nocrypto)
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
@@ -436,10 +439,11 @@
 		styleflags |= DNS_STYLEFLAG_NO_TTL;
 	if (noclass)
 		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (rrcomments)
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	if (nocrypto)
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	/* Turn on rrcomments if explicitly enabled */
+	if (rrcomments > 0)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	if (multiline) {
 		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
 		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
@@ -448,7 +452,9 @@
 		styleflags |= DNS_STYLEFLAG_TTL;
 		styleflags |= DNS_STYLEFLAG_MULTILINE;
 		styleflags |= DNS_STYLEFLAG_COMMENT;
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+		/* Turn on rrcomments if not explicitly disabled */
+		if (rrcomments >= 0)
+			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	}
 
 	if (multiline || (nottl && noclass))
@@ -489,7 +495,8 @@
 	styleflags |= DNS_STYLEFLAG_REL_OWNER;
 	if (query->lookup->comments)
 		styleflags |= DNS_STYLEFLAG_COMMENT;
-	if (rrcomments)
+	/* Turn on rrcomments if explicitly enabled */
+	if (rrcomments > 0)
 		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	if (nottl)
 		styleflags |= DNS_STYLEFLAG_NO_TTL;
@@ -504,7 +511,9 @@
 		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
 		styleflags |= DNS_STYLEFLAG_TTL;
 		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+		/* Turn on rrcomments unless explicitly disabled */
+		if (rrcomments >= 0)
+			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	}
 	if (multiline || (nottl && noclass))
 		result = dns_master_stylecreate2(&style, styleflags,
@@ -756,7 +765,7 @@
  */
 
 static void
-plus_option(char *option, isc_boolean_t is_batchfile,
+plus_option(const char *option, isc_boolean_t is_batchfile,
 	    dig_lookup_t *lookup)
 {
 	isc_result_t result;
@@ -771,7 +780,7 @@
 	strncpy(option_store, option, sizeof(option_store));
 	option_store[sizeof(option_store)-1]=0;
 	ptr = option_store;
-	cmd = next_token(&ptr,"=");
+	cmd = next_token(&ptr, "=");
 	if (cmd == NULL) {
 		printf(";; Invalid option %s\n", option_store);
 		return;
@@ -825,7 +834,6 @@
 			lookup->section_answer = state;
 			lookup->section_additional = state;
 			lookup->comments = state;
-			rrcomments = state;
 			lookup->stats = state;
 			printcmd = state;
 			break;
@@ -1063,13 +1071,13 @@
 					lookup->identify = ISC_TRUE;
 					lookup->stats = ISC_FALSE;
 					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
 					lookup->section_additional = ISC_FALSE;
 					lookup->section_authority = ISC_FALSE;
 					lookup->section_question = ISC_FALSE;
 					lookup->rdtype = dns_rdatatype_ns;
 					lookup->rdtypeset = ISC_TRUE;
 					short_form = ISC_TRUE;
+					rrcomments = 0;
 				}
 				break;
 			default:
@@ -1159,7 +1167,7 @@
 			break;
 		case 'r': /* rrcomments */
 			FULLCHECK("rrcomments");
-			rrcomments = state;
+			rrcomments = state ? 1 : -1;
 			break;
 		default:
 			goto invalid_option;
@@ -1187,8 +1195,8 @@
 					lookup->section_authority = ISC_FALSE;
 					lookup->section_question = ISC_FALSE;
 					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
 					lookup->stats = ISC_FALSE;
+					rrcomments = -1;
 				}
 				break;
 			case 'w': /* showsearch */
@@ -1281,6 +1289,7 @@
 			}
 			if (lookup->edns == -1)
 				lookup->edns = 0;
+
 			result = parse_netprefix(&lookup->ecs_addr, value);
 			if (result != ISC_R_SUCCESS)
 				fatal("Couldn't parse client");
@@ -1327,7 +1336,7 @@
 					lookup->recurse = ISC_FALSE;
 					lookup->identify = ISC_TRUE;
 					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
+					rrcomments = 0;
 					lookup->stats = ISC_FALSE;
 					lookup->section_additional = ISC_FALSE;
 					lookup->section_authority = ISC_TRUE;
@@ -1385,7 +1394,7 @@
 	invalid_option:
 	need_value:
 		fprintf(stderr, "Invalid option: +%s\n",
-			 option);
+			option);
 		usage();
 	}
 	return;
@@ -1615,14 +1624,14 @@
 				 value);
 		return (value_from_next);
 	case 'y':
-		ptr = next_token(&value,":");	/* hmac type or name */
+		ptr = next_token(&value, ":");	/* hmac type or name */
 		if (ptr == NULL) {
 			usage();
 		}
 		ptr2 = next_token(&value, ":");	/* name or secret */
 		if (ptr2 == NULL)
 			usage();
-		ptr3 = next_token(&value,":"); /* secret or NULL */
+		ptr3 = next_token(&value, ":"); /* secret or NULL */
 		if (ptr3 != NULL) {
 			parse_hmac(ptr);
 			ptr = ptr2;
--- a/external/bsd/bind/dist/bin/dig/dighost.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dig/dighost.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dighost.c,v 1.17 2016/03/10 04:01:33 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.18 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -468,7 +468,7 @@
 
 static isc_result_t
 reverse_octets(const char *in, char **p, char *end) {
-	char *dot = strchr(in, '.');
+	const char *dot = strchr(in, '.');
 	int len;
 	if (dot != NULL) {
 		isc_result_t result;
@@ -1067,39 +1067,46 @@
 	isc_sockaddr_t *sa = NULL;
 	struct in_addr in4;
 	struct in6_addr in6;
-	isc_uint32_t netmask = 0;
+	isc_uint32_t prefix_length = 0xffffffff;
 	char *slash = NULL;
 	isc_boolean_t parsed = ISC_FALSE;
-
-	if ((slash = strchr(value, '/'))) {
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX/128")];
+
+	if (strlcpy(buf, value, sizeof(buf)) >= sizeof(buf))
+		fatal("invalid prefix '%s'\n", value);
+
+	slash = strchr(buf, '/');
+	if (slash != NULL) {
 		*slash = '\0';
-		result = isc_parse_uint32(&netmask, slash + 1, 10);
+		result = isc_parse_uint32(&prefix_length, slash + 1, 10);
 		if (result != ISC_R_SUCCESS) {
-			*slash = '/';
-			fatal("invalid prefix length '%s': %s\n",
+			fatal("invalid prefix length in '%s': %s\n",
 			      value, isc_result_totext(result));
 		}
 	}
 
+	if (strcmp(buf, "0") == 0) {
+		parsed = ISC_TRUE;
+		prefix_length = 0;
+	}
+
 	sa = isc_mem_allocate(mctx, sizeof(*sa));
 	if (sa == NULL)
 		fatal("out of memory");
-	if (inet_pton(AF_INET6, value, &in6) == 1) {
-		isc_sockaddr_fromin6(sa, &in6, 0);
+	if (inet_pton(AF_INET6, buf, &in6) == 1) {
 		parsed = ISC_TRUE;
-		if (netmask == 0 || netmask > 128)
-			netmask = 128;
-	} else if (inet_pton(AF_INET, value, &in4) == 1) {
+		isc_sockaddr_fromin6(sa, &in6, 0);
+		if (prefix_length > 128)
+			prefix_length = 128;
+	} else if (inet_pton(AF_INET, buf, &in4) == 1) {
 		parsed = ISC_TRUE;
 		isc_sockaddr_fromin(sa, &in4, 0);
-		if (netmask == 0 || netmask > 32)
-			netmask = 32;
-	} else if (netmask != 0) {
-		char buf[64];
+		if (prefix_length > 32)
+			prefix_length = 32;
+	} else if (prefix_length != 0xffffffff && prefix_length != 0) {
 		int i;
 
-		strlcpy(buf, value, sizeof(buf));
-		for (i = 0; i < 3; i++) {
+		for (i = 0; i < 3 && strlen(buf) < sizeof(buf) - 2; i++) {
 			strlcat(buf, ".0", sizeof(buf));
 			if (inet_pton(AF_INET, buf, &in4) == 1) {
 				parsed = ISC_TRUE;
@@ -1108,21 +1115,22 @@
 			}
 		}
 
-	}
-
-	if (slash != NULL)
-		*slash = '/';
+		if (prefix_length > 32)
+			prefix_length = 32;
+	}
 
 	if (!parsed)
 		fatal("invalid address '%s'", value);
 
-	sa->length = netmask;
+	sa->length = prefix_length;
+	if (prefix_length == 0)
+		sa->type.sa.sa_family = AF_UNSPEC;
+
 	*sap = sa;
 
 	return (ISC_R_SUCCESS);
 }
 
-
 /*
  * Parse HMAC algorithm specification
  */
@@ -2467,63 +2475,64 @@
 		}
 
 		if (lookup->ecs_addr != NULL) {
-			isc_uint32_t prefixlen;
+			isc_uint8_t addr[16], family, proto;
+			isc_uint32_t plen;
 			struct sockaddr *sa;
 			struct sockaddr_in *sin;
 			struct sockaddr_in6 *sin6;
-			const isc_uint8_t *addr;
 			size_t addrl;
-			isc_uint8_t mask;
 
 			sa = &lookup->ecs_addr->type.sa;
-			prefixlen = lookup->ecs_addr->length;
+			plen = lookup->ecs_addr->length;
 
 			/* Round up prefix len to a multiple of 8 */
-			addrl = (prefixlen + 7) / 8;
-			if (prefixlen % 8 == 0)
-				mask = 0xff;
-			else
-				mask = 0xffU << (8 - (prefixlen % 8));
+			addrl = (plen + 7) / 8;
 
 			INSIST(i < DNS_EDNSOPTIONS);
 			opts[i].code = DNS_OPT_CLIENT_SUBNET;
 			opts[i].length = (isc_uint16_t) addrl + 4;
 			check_result(result, "isc_buffer_allocate");
 			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
-			if (sa->sa_family == AF_INET) {
+
+			/* If prefix length is zero, don't set family */
+			proto = sa->sa_family;
+			if (plen == 0)
+				proto = AF_UNSPEC;
+
+			switch (proto) {
+			case AF_UNSPEC:
+				INSIST(plen == 0);
+				family = 0;
+				break;
+			case AF_INET:
+				family = 1;
 				sin = (struct sockaddr_in *) sa;
-				addr = (isc_uint8_t *) &sin->sin_addr;
-				/* family */
-				isc_buffer_putuint16(&b, 1);
-				/* source prefix-length */
-				isc_buffer_putuint8(&b, prefixlen);
-				/* scope prefix-length */
-				isc_buffer_putuint8(&b, 0);
-				/* address */
-				if (addrl > 0) {
-					isc_buffer_putmem(&b, addr, addrl - 1);
-					isc_buffer_putuint8(&b,
-							    (addr[addrl - 1] &
-							     mask));
-				}
-			} else {
+				memmove(addr, &sin->sin_addr, 4);
+				break;
+			case AF_INET6:
+				family = 2;
 				sin6 = (struct sockaddr_in6 *) sa;
-				addr = (isc_uint8_t *) &sin6->sin6_addr;
-				/* family */
-				isc_buffer_putuint16(&b, 2);
-				/* source prefix-length */
-				isc_buffer_putuint8(&b, prefixlen);
-				/* scope prefix-length */
-				isc_buffer_putuint8(&b, 0);
-				/* address */
-				if (addrl > 0) {
-					isc_buffer_putmem(&b, addr, addrl - 1);
-					isc_buffer_putuint8(&b,
-							    (addr[addrl - 1] &
-							     mask));
-				}
+				memmove(addr, &sin6->sin6_addr, 16);
+				break;
+			default:
+				INSIST(0);
 			}
 
+			/* Mask off last address byte */
+			if (addrl > 0 && (plen % 8) != 0)
+				addr[addrl - 1] &= ~0 << (8 - (plen % 8));
+
+			/* family */
+			isc_buffer_putuint16(&b, family);
+			/* source prefix-length */
+			isc_buffer_putuint8(&b, plen);
+			/* scope prefix-length */
+			isc_buffer_putuint8(&b, 0);
+			/* address */
+			if (addrl > 0)
+				isc_buffer_putmem(&b, addr,
+						  (unsigned)addrl);
+
 			opts[i].value = (isc_uint8_t *) ecsbuf;
 			i++;
 		}
@@ -3768,6 +3777,8 @@
 		l->edns = newedns;
 		n = requeue_lookup(l, ISC_TRUE);
 		n->origin = query->lookup->origin;
+		if (l->trace && l->trace_root)
+			n->rdtype = l->qrdtype;
 		dns_message_destroy(&msg);
 		isc_event_free(&event);
 		clear_query(query);
@@ -3787,6 +3798,8 @@
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
 		n->origin = query->lookup->origin;
+		if (l->trace && l->trace_root)
+			n->rdtype = l->qrdtype;
 		dns_message_destroy(&msg);
 		isc_event_free(&event);
 		clear_query(query);
--- a/external/bsd/bind/dist/bin/dig/host.1	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dig/host.1	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: host.1,v 1.5 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: host.1,v 1.6 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,43 +15,58 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
+'\" t
 .\"     Title: host
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 20, 2009
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2009-01-20
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "HOST" "1" "January 20, 2009" "BIND9" "BIND9"
+.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 host \- DNS lookup utility
 .SH "SYNOPSIS"
-.HP 5
+.HP \w'\fBhost\fR\ 'u
 \fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
-is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
+is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
 \fBhost\fR
-prints a short summary of its command line arguments and options.
+prints a short summary of its command line arguments and options\&.
 .PP
 \fIname\fR
-is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
+is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
 \fBhost\fR
-will by default perform a reverse lookup for that address.
+will by default perform a reverse lookup for that address\&.
 \fIserver\fR
 is an optional argument which is either the name or IP address of the name server that
 \fBhost\fR
 should query instead of the server or servers listed in
-\fI/etc/resolv.conf\fR.
+/etc/resolv\&.conf\&.
 .PP
 The
 \fB\-a\fR
@@ -59,7 +74,7 @@
 \fB\-v\fR
 option and asking
 \fBhost\fR
-to make a query of type ANY.
+to make a query of type ANY\&.
 .PP
 When the
 \fB\-C\fR
@@ -67,12 +82,12 @@
 \fBhost\fR
 will attempt to display the SOA records for zone
 \fIname\fR
-from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
+from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
 .PP
 The
 \fB\-c\fR
 option instructs to make a DNS query of class
-\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
+\fIclass\fR\&. This can be used to lookup Hesiod or Chaosnet class resource records\&. The default class is IN (Internet)\&.
 .PP
 Verbose output is generated by
 \fBhost\fR
@@ -80,114 +95,113 @@
 \fB\-d\fR
 or
 \fB\-v\fR
-option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
+option is used\&. The two options are equivalent\&. They have been provided for backwards compatibility\&. In previous versions, the
 \fB\-d\fR
 option switched on debugging traces and
 \fB\-v\fR
-enabled verbose output.
+enabled verbose output\&.
 .PP
 List mode is selected by the
 \fB\-l\fR
-option. This makes
+option\&. This makes
 \fBhost\fR
 perform a zone transfer for zone
-\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with
+\fIname\fR\&. Transfer the zone printing out the NS, PTR and address records (A/AAAA)\&. If combined with
 \fB\-a\fR
-all records will be printed.
+all records will be printed\&.
 .PP
 The
 \fB\-i\fR
-option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.
+option specifies that reverse lookups of IPv6 addresses should use the IP6\&.INT domain as defined in RFC1886\&. The default is to use IP6\&.ARPA\&.
 .PP
 The
 \fB\-N\fR
 option sets the number of dots that have to be in
 \fIname\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+for it to be considered absolute\&. The default value is that defined using the ndots statement in
+/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
 \fBsearch\fR
 or
 \fBdomain\fR
 directive in
-\fI/etc/resolv.conf\fR.
+/etc/resolv\&.conf\&.
 .PP
 The number of UDP retries for a lookup can be changed with the
 \fB\-R\fR
-option.
+option\&.
 \fInumber\fR
 indicates how many times
 \fBhost\fR
-will repeat a query that does not get answered. The default number of retries is 1. If
+will repeat a query that does not get answered\&. The default number of retries is 1\&. If
 \fInumber\fR
-is negative or zero, the number of retries will default to 1.
+is negative or zero, the number of retries will default to 1\&.
 .PP
 Non\-recursive queries can be made via the
 \fB\-r\fR
-option. Setting this option clears the
+option\&. Setting this option clears the
 \fBRD\fR
 \(em recursion desired \(em bit in the query which
 \fBhost\fR
-makes. This should mean that the name server receiving the query will not attempt to resolve
-\fIname\fR. The
+makes\&. This should mean that the name server receiving the query will not attempt to resolve
+\fIname\fR\&. The
 \fB\-r\fR
 option enables
 \fBhost\fR
-to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
+to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers\&.
 .PP
 By default,
 \fBhost\fR
-uses UDP when making queries. The
+uses UDP when making queries\&. The
 \fB\-T\fR
-option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
+option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&.
 .PP
 The
 \fB\-4\fR
 option forces
 \fBhost\fR
-to only use IPv4 query transport. The
+to only use IPv4 query transport\&. The
 \fB\-6\fR
 option forces
 \fBhost\fR
-to only use IPv6 query transport.
+to only use IPv6 query transport\&.
 .PP
 The
 \fB\-t\fR
-option is used to select the query type.
+option is used to select the query type\&.
 \fItype\fR
-can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc\&. When no query type is specified,
 \fBhost\fR
-automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the
+automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records, but if the
 \fB\-C\fR
 option was given, queries will be made for SOA records, and if
 \fIname\fR
 is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
 \fBhost\fR
-will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678).
+will query for PTR records\&. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e\&.g\&. \-t IXFR=12345678)\&.
 .PP
 The time to wait for a reply can be controlled through the
 \fB\-W\fR
 and
 \fB\-w\fR
-options. The
+options\&. The
 \fB\-W\fR
 option makes
 \fBhost\fR
 wait for
 \fIwait\fR
-seconds. If
+seconds\&. If
 \fIwait\fR
-is less than one, the wait interval is set to one second. When the
+is less than one, the wait interval is set to one second\&. When the
 \fB\-w\fR
 option is used,
 \fBhost\fR
-will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
+will effectively wait forever for a reply\&. The time to wait for a response will be set to the number of seconds given by the hardware\*(Aqs maximum value for an integer quantity\&.
 .PP
 The
 \fB\-s\fR
 option tells
-\fBhost\fR
-\fInot\fR
-to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
+\fBhost\fR\fInot\fR
+to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
 .PP
 The
 \fB\-m\fR
@@ -195,33 +209,37 @@
 \fIrecord\fR,
 \fIusage\fR
 and
-\fItrace\fR.
+\fItrace\fR\&.
 .PP
 The
 \fB\-V\fR
 option causes
 \fBhost\fR
-to print the version number and exit.
+to print the version number and exit\&.
 .SH "IDN SUPPORT"
 .PP
 If
 \fBhost\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
-environment variable. The IDN support is disabled if the variable is set when
+environment variable\&. The IDN support is disabled if the variable is set when
 \fBhost\fR
-runs.
+runs\&.
 .SH "FILES"
 .PP
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 .SH "SEE ALSO"
 .PP
 \fBdig\fR(1),
-\fBnamed\fR(8).
+\fBnamed\fR(8)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2002 Internet Software Consortium.
+Copyright \(co 2000-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/nslookup.1	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.1	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: nslookup.1,v 1.7 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: nslookup.1,v 1.8 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004-2007, 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,68 +14,100 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
+'\" t
 .\"     Title: nslookup
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 24, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-24
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "NSLOOKUP" "1" "January 24, 2014" "BIND9" "BIND9"
+.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 nslookup \- query Internet name servers interactively
 .SH "SYNOPSIS"
-.HP 9
+.HP \w'\fBnslookup\fR\ 'u
 \fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
 .SH "DESCRIPTION"
 .PP
 \fBNslookup\fR
-is a program to query Internet domain name servers.
+is a program to query Internet domain name servers\&.
 \fBNslookup\fR
-has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
+has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 4
-1.
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  1." 4.2
+.\}
 when no arguments are given (the default name server will be used)
-.TP 4
-2.
-when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
+.RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  2." 4.2
+.\}
+when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
 .RE
 .PP
-Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
+Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
 .PP
-Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
+Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 nslookup \-query=hinfo  \-timeout=10
 .fi
+.if n \{\
 .RE
-.sp
+.\}
 .PP
 The
 \fB\-version\fR
 option causes
 \fBnslookup\fR
-to print the version number and immediately exits.
+to print the version number and immediately exits\&.
 .SH "INTERACTIVE COMMANDS"
 .PP
 \fBhost\fR [server]
 .RS 4
-Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
+Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
 .sp
-To look up a host not in the current domain, append a period to the name.
+To look up a host not in the current domain, append a period to the name\&.
 .RE
 .PP
 \fBserver\fR \fIdomain\fR
@@ -90,7 +122,7 @@
 uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
-uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
+uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
 .RE
 .PP
 \fBroot\fR
@@ -125,24 +157,22 @@
 .PP
 \fBexit\fR
 .RS 4
-Exits the program.
+Exits the program\&.
 .RE
 .PP
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
 .RS 4
-This command is used to change state information that affects the lookups. Valid keywords are:
-.RS 4
+This command is used to change state information that affects the lookups\&. Valid keywords are:
 .PP
 \fBall\fR
 .RS 4
 Prints the current values of the frequently used options to
-\fBset\fR. Information about the current default server and host is also printed.
+\fBset\fR\&. Information about the current default server and host is also printed\&.
 .RE
 .PP
 \fBclass=\fR\fIvalue\fR
 .RS 4
 Change the query class to one of:
-.RS 4
 .PP
 \fBIN\fR
 .RS 4
@@ -163,16 +193,15 @@
 .RS 4
 wildcard
 .RE
-.RE
-.IP "" 4
-The class specifies the protocol group of the information.
+.sp
+The class specifies the protocol group of the information\&.
 .sp
 (Default = IN; abbreviation = cl)
 .RE
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
 .RS 4
-Turn on or off the display of the full response packet and any intermediate response packets when searching.
+Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
@@ -180,7 +209,7 @@
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBd2\fR
 .RS 4
-Turn debugging mode on or off. This displays more about what nslookup is doing.
+Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
 .sp
 (Default = nod2)
 .RE
@@ -188,12 +217,12 @@
 \fBdomain=\fR\fIname\fR
 .RS 4
 Sets the search list to
-\fIname\fR.
+\fIname\fR\&.
 .RE
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
 .RS 4
-If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
+If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
 .sp
 (Default = search)
 .RE
@@ -201,7 +230,7 @@
 \fBport=\fR\fIvalue\fR
 .RS 4
 Change the default TCP/UDP name server port to
-\fIvalue\fR.
+\fIvalue\fR\&.
 .sp
 (Default = 53; abbreviation = po)
 .RE
@@ -212,60 +241,64 @@
 .PP
 \fBtype=\fR\fIvalue\fR
 .RS 4
-Change the type of the information query.
+Change the type of the information query\&.
 .sp
 (Default = A; abbreviations = q, ty)
 .RE
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
 .RS 4
-Tell the name server to query other servers if it does not have the information.
+Tell the name server to query other servers if it does not have the information\&.
 .sp
 (Default = recurse; abbreviation = [no]rec)
 .RE
 .PP
 \fBndots=\fR\fInumber\fR
 .RS 4
-Set the number of dots (label separators) in a domain that will disable searching. Absolute names always stop searching.
+Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
 .RE
 .PP
 \fBretry=\fR\fInumber\fR
 .RS 4
-Set the number of retries to number.
+Set the number of retries to number\&.
 .RE
 .PP
 \fBtimeout=\fR\fInumber\fR
 .RS 4
-Change the initial timeout interval for waiting for a reply to number seconds.
+Change the initial timeout interval for waiting for a reply to number seconds\&.
 .RE
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBvc\fR
 .RS 4
-Always use a virtual circuit when sending requests to the server.
+Always use a virtual circuit when sending requests to the server\&.
 .sp
 (Default = novc)
 .RE
 .PP
 \fB \fR\fB\fI[no]\fR\fR\fBfail\fR
 .RS 4
-Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
+Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
 .sp
 (Default = nofail)
 .RE
+.sp
 .RE
-.IP "" 4
-.RE
+.SH "RETURN VALUES"
+.PP
+\fBnslookup\fR
+returns with an exit status of 1 if any query failed, and 0 otherwise\&.
 .SH "FILES"
 .PP
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 .SH "SEE ALSO"
 .PP
 \fBdig\fR(1),
 \fBhost\fR(1),
-\fBnamed\fR(8).
+\fBnamed\fR(8)\&.
 .SH "AUTHOR"
 .PP
-Andrew Cherenson
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-dsfromkey.8,v 1.8 2015/12/17 04:00:41 christos Exp $
+.\"	$NetBSD: dnssec-dsfromkey.8,v 1.9 2016/05/26 16:49:55 christos Exp $
 .\"
 .\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -14,163 +14,179 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-dsfromkey
+'\" t
+.\"     Title: dnssec-dsfromkey
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: May 02, 2012
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2012-05-02
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "May 02, 2012" "BIND9" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-dsfromkey \- DNSSEC DS RR generation tool
+dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
 \fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
 \fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
 \fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-dsfromkey\fR
-outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
 .SH "OPTIONS"
 .PP
 \-1
 .RS 4
-Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256).
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
 .RE
 .PP
 \-2
 .RS 4
-Use SHA\-256 as the digest algorithm.
+Use SHA\-256 as the digest algorithm\&.
 .RE
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Select the digest algorithm. The value of
+Select the digest algorithm\&. The value of
 \fBalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records.
+Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
 .RE
 .PP
 \-T \fITTL\fR
 .RS 4
-Specifies the TTL of the DS records.
+Specifies the TTL of the DS records\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
 Look for key files (or, in keyset mode,
-\fIkeyset\-\fR
+keyset\-
 files) in
-\fBdirectory\fR.
+\fBdirectory\fR\&.
 .RE
 .PP
 \-f \fIfile\fR
 .RS 4
 Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
-\fBfile\fR. If the zone name is the same as
-\fBfile\fR, then it may be omitted.
+\fBfile\fR\&. If the zone name is the same as
+\fBfile\fR, then it may be omitted\&.
 .sp
 If
 \fBfile\fR
 is set to
-"\-", then the zone data is read from the standard input. This makes it possible to use the output of the
+"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
 \fBdig\fR
 command as input, as in:
 .sp
-\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fR
+\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
 .RE
 .PP
 \-A
 .RS 4
-Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
+Include ZSK\*(Aqs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
 .RE
 .PP
 \-l \fIdomain\fR
 .RS 4
-Generate a DLV set instead of a DS set. The specified
+Generate a DLV set instead of a DS set\&. The specified
 \fBdomain\fR
-is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. This is mutually exclusive with generating CDS records.
+is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
+Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-h
 .RS 4
-Prints usage information.
+Prints usage information\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .SH "EXAMPLE"
 .PP
 To build the SHA\-256 DS RR from the
-\fBKexample.com.+003+26160\fR
+\fBKexample\&.com\&.+003+26160\fR
 keyfile name, the following command would be issued:
 .PP
-\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR
+\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
 .PP
 The command would print something like:
 .PP
-\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
 .SH "FILES"
 .PP
 The keyfile can be designed by the key identification
-\fIKnnnn.+aaa+iiiii\fR
+Knnnn\&.+aaa+iiiii
 or the full file name
-\fIKnnnn.+aaa+iiiii.key\fR
+Knnnn\&.+aaa+iiiii\&.key
 as generated by
-dnssec\-keygen(8).
+dnssec\-keygen(8)\&.
 .PP
 The keyset file name is built from the
 \fBdirectory\fR, the string
-\fIkeyset\-\fR
+keyset\-
 and the
-\fBdnsname\fR.
+\fBdnsname\fR\&.
 .SH "CAVEAT"
 .PP
-A keyfile error can give a "file not found" even if the file exists.
+A keyfile error can give a "file not found" even if the file exists\&.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 3658,
-RFC 4431.
-RFC 4509.
+RFC 4431\&.
+RFC 4509\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8	Thu May 26 16:49:55 2016 +0000
@@ -1,122 +1,138 @@
-.\"	$NetBSD: dnssec-importkey.8,v 1.4 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-importkey.8,v 1.5 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-importkey
+'\" t
+.\"     Title: dnssec-importkey
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 20, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-20
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-IMPORTKEY" "8" "February 20, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-IMPORTKEY" "8" "2014\-02\-20" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-importkey \- Import DNSKEY records from external systems so they can be managed.
+dnssec-importkey \- import DNSKEY records from external systems so they can be managed
 .SH "SYNOPSIS"
-.HP 17
+.HP \w'\fBdnssec\-importkey\fR\ 'u
 \fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
-.HP 17
+.HP \w'\fBdnssec\-importkey\fR\ 'u
 \fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-importkey\fR
-reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file will be generated, or it may be read from any other file or from the standard input, in which case both .key and .private files will be generated.
+reads a public DNSKEY record and generates a pair of \&.key/\&.private files\&. The DNSKEY record may be read from an existing \&.key file, in which case a corresponding \&.private file will be generated, or it may be read from any other file or from the standard input, in which case both \&.key and \&.private files will be generated\&.
 .PP
-The newly\-created .private file does
+The newly\-created \&.private file does
 \fInot\fR
-contain private key data, and cannot be used for signing. However, having a .private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline.
+contain private key data, and cannot be used for signing\&. However, having a \&.private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline\&.
 .SH "OPTIONS"
 .PP
 \-f \fIfilename\fR
 .RS 4
 Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
-\fBfile\fR. If the domain name is the same as
-\fBfile\fR, then it may be omitted.
+\fBfile\fR\&. If the domain name is the same as
+\fBfile\fR, then it may be omitted\&.
 .sp
 If
 \fBfile\fR
 is set to
-"\-", then the zone data is read from the standard input.
+"\-", then the zone data is read from the standard input\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to reside.
+Sets the directory in which the key files are to reside\&.
 .RE
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
 0
 or
 none
-removes it.
+removes it\&.
 .RE
 .PP
 \-h
 .RS 4
-Emit usage message and exit.
+Emit usage message and exit\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
 .RE
 .SH "FILES"
 .PP
 A keyfile can be designed by the key identification
-\fIKnnnn.+aaa+iiiii\fR
+Knnnn\&.+aaa+iiiii
 or the full file name
-\fIKnnnn.+aaa+iiiii.key\fR
+Knnnn\&.+aaa+iiiii\&.key
 as generated by
-dnssec\-keygen(8).
+dnssec\-keygen(8)\&.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 5011.
+RFC 5011\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.9 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.10 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,252 +14,292 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-keyfromlabel
+'\" t
+.\"     Title: dnssec-keyfromlabel
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 27, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-27
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-KEYFROMLABEL" "8" "February 27, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-KEYFROMLABEL" "8" "2014\-02\-27" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-keyfromlabel \- DNSSEC key generation tool
+dnssec-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
-.HP 20
+.HP \w'\fBdnssec\-keyfromlabel\fR\ 'u
 \fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
-generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by
-\fBdnssec\-keygen\fR, but the key material is stored within the HSM, and the actual signing takes place there.
+generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM)\&. The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by
+\fBdnssec\-keygen\fR, but the key material is stored within the HSM, and the actual signing takes place there\&.
 .PP
 The
 \fBname\fR
-of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
+of the key is specified on the command line\&. This must match the name of the zone for which the key is being generated\&.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Selects the cryptographic algorithm. The value of
+Selects the cryptographic algorithm\&. The value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. These values are case insensitive\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
 \fB\-3\fR
-is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
 .sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&.
 .sp
-Note 2: DH automatically sets the \-k flag.
+Note 2: DH automatically sets the \-k flag\&.
 .RE
 .PP
 \-3
 .RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-Specifies the cryptographic hardware to use.
+Specifies the cryptographic hardware to use\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-l \fIlabel\fR
 .RS 4
-Specifies the label for a key pair in the crypto hardware.
+Specifies the label for a key pair in the crypto hardware\&.
 .sp
 When
 BIND
-9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR".
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
 .sp
 When
 BIND
-9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:\fBkeyword\fR=\fIvalue\fR[;\fBkeyword\fR=\fIvalue\fR;...]" Keywords include "token", which identifies the HSM; "object", which identifies the key; and "pin\-source", which identifies a file from which the HSM's PIN code can be obtained. The label will be stored in the on\-disk "private" file.
+9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:\fBkeyword\fR=\fIvalue\fR[;\fBkeyword\fR=\fIvalue\fR;\&.\&.\&.]" Keywords include "token", which identifies the HSM; "object", which identifies the key; and "pin\-source", which identifies a file from which the HSM\*(Aqs PIN code can be obtained\&. The label will be stored in the on\-disk "private" file\&.
 .sp
 If the label contains a
 \fBpin\-source\fR
-field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN. Note: Making the HSM's PIN accessible in this manner may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature.
+field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN\&. Note: Making the HSM\*(Aqs PIN accessible in this manner may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature\&.
 .RE
 .PP
 \-n \fInametype\fR
 .RS 4
-Specifies the owner type of the key. The value of
+Specifies the owner type of the key\&. The value of
 \fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any metadata. By default,
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
 \fBdnssec\-keyfromlabel\fR
-will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
 \fB\-C\fR
-option suppresses them.
+option suppresses them\&.
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
+Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
 .RE
 .PP
 \-f \fIflag\fR
 .RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
 .RE
 .PP
 \-G
 .RS 4
-Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
+Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec\-keyfromlabel\fR.
+\fBdnssec\-keyfromlabel\fR\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to be written.
+Sets the directory in which the key files are to be written\&.
 .RE
 .PP
 \-k
 .RS 4
-Generate KEY records rather than DNSKEY records.
+Generate KEY records rather than DNSKEY records\&.
 .RE
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
 0
 or
 none
-removes it.
+removes it\&.
 .RE
 .PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+Sets the protocol value for the key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-S \fIkey\fR
 .RS 4
-Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+Generate a key as an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the predecessor\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key.
+Indicates the use of the key\&.
 \fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .PP
 \-y
 .RS 4
-Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
+Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked\&. (This is only safe to use if you are sure you won\*(Aqt be using RFC 5011 trust anchor maintenance with either of the keys involved\&.)
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
 .RE
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
 .RE
 .PP
 \-R \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
 .RE
 .PP
 \-I \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
 .RE
 .PP
 \-i \fIinterval\fR
 .RS 4
-Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
 .sp
-If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
 .sp
-As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
 .RE
 .SH "GENERATED KEY FILES"
 .PP
 When
 \fBdnssec\-keyfromlabel\fR
 completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key files it has generated.
-.TP 4
-\(bu
-\fInnnn\fR
-is the key name.
-.TP 4
-\(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP 4
-\(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
+Knnnn\&.+aaa+iiiii
+to the standard output\&. This is an identification string for the key files it has generated\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nnnn
+is the key name\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+aaa
+is the numeric representation of the algorithm\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+iiiii
+is the key identifier (or footprint)\&.
+.RE
 .PP
 \fBdnssec\-keyfromlabel\fR
-creates two files, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
+creates two files, with names based on the printed string\&.
+Knnnn\&.+aaa+iiiii\&.key
 contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
+Knnnn\&.+aaa+iiiii\&.private
+contains the private key\&.
 .PP
 The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
+\&.key
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
 .PP
 The
-\fI.private\fR
-file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
+\&.private
+file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 4034,
-The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13).
+The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-keygen.8,v 1.9 2015/07/08 17:28:55 christos Exp $
+.\"	$NetBSD: dnssec-keygen.8,v 1.10 2016/05/26 16:49:55 christos Exp $
 .\"
 .\" Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
@@ -15,303 +15,343 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-keygen
+'\" t
+.\"     Title: dnssec-keygen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 06, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-06
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-KEYGEN" "8" "February 06, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-KEYGEN" "8" "2014\-02\-06" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-keygen \- DNSSEC key generation tool
+dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
-.HP 14
+.HP \w'\fBdnssec\-keygen\fR\ 'u
 \fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
+generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930\&.
 .PP
 The
 \fBname\fR
-of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
+of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Selects the cryptographic algorithm. For DNSSEC keys, the value of
+Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
 \fB\-3\fR
-is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
 .sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&. For TSIG, HMAC\-MD5 is mandatory\&.
 .sp
-Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
+Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option\&.
 .RE
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 512 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
-The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
-\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
+The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSK\*(Aqs) and 2048 bits for key signing keys (KSK\*(Aqs, generated with
+\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the
 \fB\-a\fR, then there is no default key size, and the
 \fB\-b\fR
-must be used.
+must be used\&.
 .RE
 .PP
 \-n \fInametype\fR
 .RS 4
-Specifies the owner type of the key. The value of
+Specifies the owner type of the key\&. The value of
 \fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
 .RE
 .PP
 \-3
 .RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable\&.
 .RE
 .PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any metadata. By default,
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
 \fBdnssec\-keygen\fR
-will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
 \fB\-C\fR
-option suppresses them.
+option suppresses them\&.
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
+Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-Specifies the cryptographic hardware to use, when applicable.
+Specifies the cryptographic hardware to use, when applicable\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-f \fIflag\fR
 .RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
 .RE
 .PP
 \-G
 .RS 4
-Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
+Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
 .RE
 .PP
 \-g \fIgenerator\fR
 .RS 4
-If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
+If generating a Diffie Hellman key, use this generator\&. Allowed values are 2 and 5\&. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2\&.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
+\fBdnssec\-keygen\fR\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to be written.
+Sets the directory in which the key files are to be written\&.
 .RE
 .PP
 \-k
 .RS 4
-Deprecated in favor of \-T KEY.
+Deprecated in favor of \-T KEY\&.
 .RE
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
 0
 or
 none
-is the same as leaving it unset.
+is the same as leaving it unset\&.
 .RE
 .PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-q
 .RS 4
-Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
+Quiet mode: Suppresses unnecessary output, including progress indication\&. Without this option, when
 \fBdnssec\-keygen\fR
 is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
-\fIstderr\fR
-indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
+stderr
+indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that a random number has been found which passed an initial sieve test; \*(Aq+\*(Aq means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key\&.
 .RE
 .PP
 \-r \fIrandomdev\fR
 .RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
+Specifies the source of randomness\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&.
 .RE
 .PP
 \-S \fIkey\fR
 .RS 4
-Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+Create a new key which is an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the existing key\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
 .RE
 .PP
 \-s \fIstrength\fR
 .RS 4
-Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
+Specifies the strength value of the key\&. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC\&.
 .RE
 .PP
 \-T \fIrrtype\fR
 .RS 4
-Specifies the resource record type to use for the key.
+Specifies the resource record type to use for the key\&.
 \fBrrtype\fR
-must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
-Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
+must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
+Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key.
+Indicates the use of the key\&.
 \fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
 .RE
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now". If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval.
+Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
 .RE
 .PP
 \-R \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
 .RE
 .PP
 \-I \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
 .RE
 .PP
 \-i \fIinterval\fR
 .RS 4
-Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
 .sp
-If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
 .sp
-As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
 .RE
 .SH "GENERATED KEYS"
 .PP
 When
 \fBdnssec\-keygen\fR
 completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key it has generated.
-.TP 4
-\(bu
-\fInnnn\fR
-is the key name.
-.TP 4
-\(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP 4
-\(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
+Knnnn\&.+aaa+iiiii
+to the standard output\&. This is an identification string for the key it has generated\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nnnn
+is the key name\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+aaa
+is the numeric representation of the algorithm\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+iiiii
+is the key identifier (or footprint)\&.
+.RE
 .PP
 \fBdnssec\-keygen\fR
-creates two files, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
+creates two files, with names based on the printed string\&.
+Knnnn\&.+aaa+iiiii\&.key
 contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
+Knnnn\&.+aaa+iiiii\&.private
+contains the private key\&.
 .PP
 The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
+\&.key
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
 .PP
 The
-\fI.private\fR
-file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
+\&.private
+file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
 .PP
 Both
-\fI.key\fR
+\&.key
 and
-\fI.private\fR
-files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
+\&.private
+files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
 To generate a 768\-bit DSA key for the domain
-\fBexample.com\fR, the following command would be issued:
+\fBexample\&.com\fR, the following command would be issued:
 .PP
-\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
-\fBKexample.com.+003+26160\fR
+\fBKexample\&.com\&.+003+26160\fR
 .PP
 In this example,
 \fBdnssec\-keygen\fR
 creates the files
-\fIKexample.com.+003+26160.key\fR
+Kexample\&.com\&.+003+26160\&.key
 and
-\fIKexample.com.+003+26160.private\fR.
+Kexample\&.com\&.+003+26160\&.private\&.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 2539,
 RFC 2845,
-RFC 4034.
+RFC 4034\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2003 Internet Software Consortium.
+Copyright \(co 2000-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-revoke.8,v 1.6 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-revoke.8,v 1.7 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2009, 2011, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,84 +14,100 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-revoke
+'\" t
+.\"     Title: dnssec-revoke
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 15, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-15
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-REVOKE" "8" "January 15, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-REVOKE" "8" "2014\-01\-15" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
+dnssec-revoke \- set the REVOKED bit on a DNSSEC key
 .SH "SYNOPSIS"
-.HP 14
+.HP \w'\fBdnssec\-revoke\fR\ 'u
 \fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-revoke\fR
-reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
+reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key\&.
 .SH "OPTIONS"
 .PP
 \-h
 .RS 4
-Emit usage message and exit.
+Emit usage message and exit\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to reside.
+Sets the directory in which the key files are to reside\&.
 .RE
 .PP
 \-r
 .RS 4
-After writing the new keyset files remove the original keyset files.
+After writing the new keyset files remove the original keyset files\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-Specifies the cryptographic hardware to use, when applicable.
+Specifies the cryptographic hardware to use, when applicable\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-f
 .RS 4
 Force overwrite: Causes
 \fBdnssec\-revoke\fR
-to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
+to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key\&.
 .RE
 .PP
 \-R
 .RS 4
-Print the key tag of the key with the REVOKE bit set but do not revoke the key.
+Print the key tag of the key with the REVOKE bit set but do not revoke the key\&.
 .RE
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
+\fBdnssec-keygen\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 5011.
+RFC 5011\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2009, 2011, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2009, 2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-revoke.c,v 1.9 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: dnssec-revoke.c,v 1.10 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
  * Copyright (C) 2009-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
@@ -88,7 +88,8 @@
 #else
 	const char *engine = NULL;
 #endif
-	char *filename = NULL, *dir = NULL;
+	char const *filename = NULL;
+	char *dir = NULL;
 	char newname[1024], oldname[1024];
 	char keystr[DST_KEY_FORMATSIZE];
 	char *endp;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dnssec-settime.8,v 1.8 2015/07/08 17:28:55 christos Exp $
+.\"	$NetBSD: dnssec-settime.8,v 1.9 2016/05/26 16:49:55 christos Exp $
 .\"
 .\" Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
@@ -14,26 +14,41 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-settime
+'\" t
+.\"     Title: dnssec-settime
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 06, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-06
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-SETTIME" "8" "February 06, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-SETTIME" "8" "2014\-02\-06" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-settime \- Set the key timing metadata for a DNSSEC key
+dnssec-settime \- set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
-.HP 15
+.HP \w'\fBdnssec\-settime\fR\ 'u
 \fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
@@ -44,116 +59,116 @@
 \fB\-R\fR,
 \fB\-I\fR, and
 \fB\-D\fR
-options. The metadata can then be used by
+options\&. The metadata can then be used by
 \fBdnssec\-signzone\fR
-or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
+or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc\&.
 .PP
 If none of these options is set on the command line, then
 \fBdnssec\-settime\fR
-simply prints the key timing metadata already stored in the key.
+simply prints the key timing metadata already stored in the key\&.
 .PP
-When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
+When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
 and
-\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
+Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
 .SH "OPTIONS"
 .PP
 \-f
 .RS 4
-Force an update of an old\-format key with no metadata fields. Without this option,
+Force an update of an old\-format key with no metadata fields\&. Without this option,
 \fBdnssec\-settime\fR
-will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time.
+will fail when attempting to update a legacy key\&. With this option, the key will be recreated in the new format, but with the original key data retained\&. The key\*(Aqs creation date will be set to the present time\&. If no other values are specified, then the key\*(Aqs publication and activation dates will also be set to the present time\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Sets the directory in which the key files are to reside.
+Sets the directory in which the key files are to reside\&.
 .RE
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
 0
 or
 none
-removes it from the key.
+removes it from the key\&.
 .RE
 .PP
 \-h
 .RS 4
-Emit usage message and exit.
+Emit usage message and exit\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-Specifies the cryptographic hardware to use, when applicable.
+Specifies the cryptographic hardware to use, when applicable\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none' or 'never'.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To unset a date, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
 .RE
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
+Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&.
 .RE
 .PP
 \-R \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
 .RE
 .PP
 \-I \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
 .RE
 .PP
 \-S \fIpredecessor key\fR
 .RS 4
-Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
 .RE
 .PP
 \-i \fIinterval\fR
 .RS 4
-Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
 .sp
-If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
 .sp
-As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
 .RE
 .SH "PRINTING OPTIONS"
 .PP
 \fBdnssec\-settime\fR
-can also be used to print the timing metadata associated with a key.
+can also be used to print the timing metadata associated with a key\&.
 .PP
 \-u
 .RS 4
-Print times in UNIX epoch format.
+Print times in UNIX epoch format\&.
 .RE
 .PP
 \-p \fIC/P/A/R/I/D/all\fR
 .RS 4
-Print a specific metadata value or set of metadata values. The
+Print a specific metadata value or set of metadata values\&. The
 \fB\-p\fR
 option may be followed by one or more of the following letters to indicate which value or values to print:
 \fBC\fR
@@ -167,18 +182,19 @@
 \fBI\fR
 for the inactivation date, or
 \fBD\fR
-for the deletion date. To print all of the metadata, use
-\fB\-p all\fR.
+for the deletion date\&. To print all of the metadata, use
+\fB\-p all\fR\&.
 .RE
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 5011.
+RFC 5011\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2009\-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-settime.c,v 1.13 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.14 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
  * Copyright (C) 2009-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -131,7 +131,8 @@
 #else
 	const char	*engine = NULL;
 #endif
-	char		*filename = NULL, *directory = NULL;
+	const char 	*filename = NULL;
+	char		*directory = NULL;
 	char		newname[1024];
 	char		keystr[DST_KEY_FORMATSIZE];
 	char		*endp, *p;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-signzone.8,v 1.8 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-signzone.8,v 1.9 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,454 +15,474 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-signzone
+'\" t
+.\"     Title: dnssec-signzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 18, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-18
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-SIGNZONE" "8" "February 18, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-SIGNZONE" "8" "2014\-02\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-signzone \- DNSSEC zone signing tool
+dnssec-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
-.HP 16
+.HP \w'\fBdnssec\-signzone\fR\ 'u
 \fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-p\fR] [\fB\-R\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
-signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
-\fIkeyset\fR
-file for each child zone.
+signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
+keyset
+file for each child zone\&.
 .SH "OPTIONS"
 .PP
 \-a
 .RS 4
-Verify all generated signatures.
+Verify all generated signatures\&.
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Specifies the DNS class of the zone.
+Specifies the DNS class of the zone\&.
 .RE
 .PP
 \-C
 .RS 4
 Compatibility mode: Generate a
-\fIkeyset\-\fR\fI\fIzonename\fR\fR
+keyset\-\fIzonename\fR
 file in addition to
-\fIdsset\-\fR\fI\fIzonename\fR\fR
+dsset\-\fIzonename\fR
 when signing a zone, for use by older versions of
-\fBdnssec\-signzone\fR.
+\fBdnssec\-signzone\fR\&.
 .RE
 .PP
 \-d \fIdirectory\fR
 .RS 4
 Look for
-\fIdsset\-\fR
+dsset\-
 or
-\fIkeyset\-\fR
+keyset\-
 files in
-\fBdirectory\fR.
+\fBdirectory\fR\&.
 .RE
 .PP
 \-D
 .RS 4
 Output only those record types automatically managed by
-\fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with
-\fB$INCLUDE\fR. This option cannot be combined with
+\fBdnssec\-signzone\fR, i\&.e\&. RRSIG, NSEC, NSEC3 and NSEC3PARAM records\&. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included\&. The resulting file can be included in the original zone file with
+\fB$INCLUDE\fR\&. This option cannot be combined with
 \fB\-O raw\fR,
-\fB\-O map\fR, or serial number updating.
+\fB\-O map\fR, or serial number updating\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.
+When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-g
 .RS 4
 Generate DS records for child zones from
-\fIdsset\-\fR
+dsset\-
 or
-\fIkeyset\-\fR
-file. Existing DS records will be removed.
+keyset\-
+file\&. Existing DS records will be removed\&.
 .RE
 .PP
 \-K \fIdirectory\fR
 .RS 4
-Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
+Key repository: Specify a directory to search for DNSSEC keys\&. If not specified, defaults to the current directory\&.
 .RE
 .PP
 \-k \fIkey\fR
 .RS 4
-Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
+Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
 .RE
 .PP
 \-l \fIdomain\fR
 .RS 4
-Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
+Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
 .RE
 .PP
 \-M \fImaxttl\fR
 .RS 4
-Sets the maximum TTL for the signed zone. Any TTL higher than
+Sets the maximum TTL for the signed zone\&. Any TTL higher than
 \fImaxttl\fR
 in the input zone will be reduced to
 \fImaxttl\fR
-in the output. This provides certainty as to the largest possible TTL in the signed zone, which is useful to know when rolling keys because it is the longest possible time before signatures that have been retrieved by resolvers will expire from resolver caches. Zones that are signed with this option should be configured to use a matching
+in the output\&. This provides certainty as to the largest possible TTL in the signed zone, which is useful to know when rolling keys because it is the longest possible time before signatures that have been retrieved by resolvers will expire from resolver caches\&. Zones that are signed with this option should be configured to use a matching
 \fBmax\-zone\-ttl\fR
 in
-\fInamed.conf\fR. (Note: This option is incompatible with
-\fB\-D\fR, because it modifies non\-DNSSEC data in the output zone.)
+named\&.conf\&. (Note: This option is incompatible with
+\fB\-D\fR, because it modifies non\-DNSSEC data in the output zone\&.)
 .RE
 .PP
 \-s \fIstart\-time\fR
 .RS 4
-Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
+Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no
 \fBstart\-time\fR
-is specified, the current time minus 1 hour (to allow for clock skew) is used.
+is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
 .RE
 .PP
 \-e \fIend\-time\fR
 .RS 4
-Specify the date and time when the generated RRSIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
+Specify the date and time when the generated RRSIG records expire\&. As with
+\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
 \fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
+is specified, 30 days from the start time is used as a default\&.
 \fBend\-time\fR
 must be later than
-\fBstart\-time\fR.
+\fBstart\-time\fR\&.
 .RE
 .PP
 \-X \fIextended end\-time\fR
 .RS 4
-Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e.g., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually.
+Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire\&. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e\&.g\&., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually\&.
 .sp
 As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
+\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
 \fBextended end\-time\fR
 is specified, the value of
 \fBend\-time\fR
-is used as the default. (\fBend\-time\fR, in turn, defaults to 30 days from the start time.)
+is used as the default\&. (\fBend\-time\fR, in turn, defaults to 30 days from the start time\&.)
 \fBextended end\-time\fR
 must be later than
-\fBstart\-time\fR.
+\fBstart\-time\fR\&.
 .RE
 .PP
 \-f \fIoutput\-file\fR
 .RS 4
-The name of the output file containing the signed zone. The default is to append
-\fI.signed\fR
-to the input filename. If
+The name of the output file containing the signed zone\&. The default is to append
+\&.signed
+to the input filename\&. If
 \fBoutput\-file\fR
 is set to
-"\-", then the signed zone is written to the standard output, with a default output format of "full".
+"\-", then the signed zone is written to the standard output, with a default output format of "full"\&.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec\-signzone\fR.
+\fBdnssec\-signzone\fR\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .PP
 \-i \fIinterval\fR
 .RS 4
-When a previously\-signed zone is passed as input, records may be resigned. The
+When a previously\-signed zone is passed as input, records may be resigned\&. The
 \fBinterval\fR
-option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
+option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
 .sp
-The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
+The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither
 \fBend\-time\fR
 or
 \fBstart\-time\fR
 are specified,
 \fBdnssec\-signzone\fR
-generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
+generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
 .RE
 .PP
 \-I \fIinput\-format\fR
 .RS 4
-The format of the input zone file. Possible formats are
+The format of the input zone file\&. Possible formats are
 \fB"text"\fR
 (default),
 \fB"raw"\fR, and
-\fB"map"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
+\fB"map"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
 .RE
 .PP
 \-j \fIjitter\fR
 .RS 4
-When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
+When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The
 \fBjitter\fR
-option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
+option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
 .sp
-Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
+Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don\*(Aqt expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
 .RE
 .PP
 \-L \fIserial\fR
 .RS 4
-When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
+When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
 .RE
 .PP
 \-n \fIncpus\fR
 .RS 4
-Specifies the number of threads to use. By default, one thread is started for each detected CPU.
+Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
 .RE
 .PP
 \-N \fIsoa\-serial\-format\fR
 .RS 4
-The SOA serial number format of the signed zone. Possible formats are
+The SOA serial number format of the signed zone\&. Possible formats are
 \fB"keep"\fR
 (default),
 \fB"increment"\fR
 and
-\fB"unixtime"\fR.
-.RS 4
+\fB"unixtime"\fR\&.
 .PP
 \fB"keep"\fR
 .RS 4
-Do not modify the SOA serial number.
+Do not modify the SOA serial number\&.
 .RE
 .PP
 \fB"increment"\fR
 .RS 4
-Increment the SOA serial number using RFC 1982 arithmetics.
+Increment the SOA serial number using RFC 1982 arithmetics\&.
 .RE
 .PP
 \fB"unixtime"\fR
 .RS 4
-Set the SOA serial number to the number of seconds since epoch.
-.RE
+Set the SOA serial number to the number of seconds since epoch\&.
 .RE
 .RE
 .PP
 \-o \fIorigin\fR
 .RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
+The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
 .RE
 .PP
 \-O \fIoutput\-format\fR
 .RS 4
-The format of the output file containing the signed zone. Possible formats are
+The format of the output file containing the signed zone\&. Possible formats are
 \fB"text"\fR
 (default), which is the standard textual representation of the zone;
 \fB"full"\fR, which is text output in a format suitable for processing by external scripts; and
 \fB"map"\fR,
 \fB"raw"\fR, and
 \fB"raw=N"\fR, which store the zone in binary formats for rapid loading by
-\fBnamed\fR.
+\fBnamed\fR\&.
 \fB"raw=N"\fR
 specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
-\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1.
+\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
 .RE
 .PP
 \-p
 .RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
+Use pseudo\-random data when signing the zone\&. This is faster, but less secure, than using real random data\&. This option may be useful when signing large zones or when the entropy source is limited\&.
 .RE
 .PP
 \-P
 .RS 4
-Disable post sign verification tests.
+Disable post sign verification tests\&.
 .sp
-The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
+The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm\&. This option skips these tests\&.
 .RE
 .PP
 \-Q
 .RS 4
-Remove signatures from keys that are no longer active.
+Remove signatures from keys that are no longer active\&.
 .sp
-Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The
+Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained\&. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset\&. The
 \fB\-Q\fR
 forces
 \fBdnssec\-signzone\fR
-to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.1 ("Pre\-Publish Key Rollover").
+to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&.
 .RE
 .PP
 \-R
 .RS 4
-Remove signatures from keys that are no longer published.
+Remove signatures from keys that are no longer published\&.
 .sp
 This option is similar to
 \fB\-Q\fR, except it forces
 \fBdnssec\-signzone\fR
-to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key Rollover").
+to signatures from keys that are no longer published\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.2 ("Double Signature Zone Signing Key Rollover")\&.
 .RE
 .PP
 \-r \fIrandomdev\fR
 .RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
+Specifies the source of randomness\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&.
 .RE
 .PP
 \-S
 .RS 4
 Smart signing: Instructs
 \fBdnssec\-signzone\fR
-to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
+to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate\&.
 .sp
-When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
-.RS 4
+When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules\&. Each successive rule takes priority over the prior ones:
 .PP
 .RS 4
-If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
+If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone\&.
 .RE
 .PP
 .RS 4
-If the key's publication date is set and is in the past, the key is published in the zone.
+If the key\*(Aqs publication date is set and is in the past, the key is published in the zone\&.
 .RE
 .PP
 .RS 4
-If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
+If the key\*(Aqs activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone\&.
 .RE
 .PP
 .RS 4
-If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
+If the key\*(Aqs revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone\&.
 .RE
 .PP
 .RS 4
-If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
-.RE
+If either of the key\*(Aqs unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata\&.
 .RE
 .RE
 .PP
 \-T \fIttl\fR
 .RS 4
-Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without
-\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value. In the event of a a conflict between TTL values in imported keys, the shortest one is used.
+Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository\&. If not specified, the default is the TTL value from the zone\*(Aqs SOA record\&. This option is ignored when signing without
+\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case\&. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records\*(Aq TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value\&. In the event of a a conflict between TTL values in imported keys, the shortest one is used\&.
 .RE
 .PP
 \-t
 .RS 4
-Print statistics at completion.
+Print statistics at completion\&.
 .RE
 .PP
 \-u
 .RS 4
-Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
+Update NSEC/NSEC3 chain when re\-signing a previously signed zone\&. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters\&. Without this option,
 \fBdnssec\-signzone\fR
-will retain the existing chain when re\-signing.
+will retain the existing chain when re\-signing\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-x
 .RS 4
-Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
+Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys\&. (This is similar to the
 \fBdnssec\-dnskey\-kskonly yes;\fR
 zone option in
-\fBnamed\fR.)
+\fBnamed\fR\&.)
 .RE
 .PP
 \-z
 .RS 4
-Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
+Ignore KSK flag on key when determining what to sign\&. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset\&. (This is similar to the
 \fBupdate\-check\-ksk no;\fR
 zone option in
-\fBnamed\fR.)
+\fBnamed\fR\&.)
 .RE
 .PP
 \-3 \fIsalt\fR
 .RS 4
-Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
+Generate an NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
 .RE
 .PP
 \-H \fIiterations\fR
 .RS 4
-When generating an NSEC3 chain, use this many iterations. The default is 10.
+When generating an NSEC3 chain, use this many iterations\&. The default is 10\&.
 .RE
 .PP
 \-A
 .RS 4
-When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
 .sp
-Using this option twice (i.e.,
-\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
+Using this option twice (i\&.e\&.,
+\fB\-AA\fR) turns the OPTOUT flag off for all records\&. This is useful when using the
 \fB\-u\fR
-option to modify an NSEC3 chain which previously had OPTOUT set.
+option to modify an NSEC3 chain which previously had OPTOUT set\&.
 .RE
 .PP
 zonefile
 .RS 4
-The file containing the zone to be signed.
+The file containing the zone to be signed\&.
 .RE
 .PP
 key
 .RS 4
-Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
+Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
 .RE
 .SH "EXAMPLE"
 .PP
 The following command signs the
-\fBexample.com\fR
+\fBexample\&.com\fR
 zone with the DSA key generated by
 \fBdnssec\-keygen\fR
-(Kexample.com.+003+17247). Because the
+(Kexample\&.com\&.+003+17247)\&. Because the
 \fB\-S\fR
-option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
-\fIdsset\fR
-files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
+option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
+dsset
+files, in the current directory, so that DS records can be imported from them (\fB\-g\fR)\&.
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
-% dnssec\-signzone \-g \-o example.com db.example.com \\
-Kexample.com.+003+17247
-db.example.com.signed
+% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
+Kexample\&.com\&.+003+17247
+db\&.example\&.com\&.signed
 %
 .fi
+.if n \{\
 .RE
+.\}
 .PP
 In the above example,
 \fBdnssec\-signzone\fR
 creates the file
-\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
-\fInamed.conf\fR
-file.
+db\&.example\&.com\&.signed\&. This file should be referenced in a zone statement in a
+named\&.conf
+file\&.
 .PP
-This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
+This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
-% cp db.example.com.signed db.example.com
-% dnssec\-signzone \-o example.com db.example.com
-db.example.com.signed
+% cp db\&.example\&.com\&.signed db\&.example\&.com
+% dnssec\-signzone \-o example\&.com db\&.example\&.com
+db\&.example\&.com\&.signed
 %
 .fi
+.if n \{\
 .RE
+.\}
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
+\fBdnssec-keygen\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 4033,
-RFC 4641.
+RFC 4641\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011\-2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
-Copyright \(co 2000\-2003 Internet Software Consortium.
+Copyright \(co 2000-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.16 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.17 2016/05/26 16:49:55 christos Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -1106,6 +1106,10 @@
 	dns_diff_clear(&add);
 }
 
+/*
+ * See if the node contains any non RRSIG/NSEC records and report to
+ * caller.  Clean out extranous RRSIG records for node.
+ */
 static inline isc_boolean_t
 active_node(dns_dbnode_t *node) {
 	dns_rdatasetiter_t *rdsiter = NULL;
@@ -1782,9 +1786,12 @@
 			continue;
 		}
 
-		if (dns_name_equal(name, gorigin))
+		if (dns_name_equal(name, gorigin)) {
 			remove_records(node, dns_rdatatype_nsec3param,
 				       ISC_TRUE);
+			/* Clean old rrsigs at apex. */
+			(void)active_node(node);
+		}
 
 		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
@@ -2229,8 +2236,11 @@
 			continue;
 		}
 
-		if (dns_name_equal(name, gorigin))
+		if (dns_name_equal(name, gorigin)) {
 			remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
+			/* Clean old rrsigs at apex. */
+			(void)active_node(node);
+		}
 
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.8	Thu May 26 16:49:55 2016 +0000
@@ -1,111 +1,127 @@
-.\"	$NetBSD: dnssec-verify.8,v 1.5 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-verify.8,v 1.6 2016/05/26 16:49:55 christos Exp $
 .\"
-.\" Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: dnssec\-verify
+'\" t
+.\"     Title: dnssec-verify
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 15, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-15
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "DNSSEC\-VERIFY" "8" "January 15, 2014" "BIND9" "BIND9"
+.TH "DNSSEC\-VERIFY" "8" "2014\-01\-15" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
-dnssec\-verify \- DNSSEC zone verification tool
+dnssec-verify \- DNSSEC zone verification tool
 .SH "SYNOPSIS"
-.HP 14
+.HP \w'\fBdnssec\-verify\fR\ 'u
 \fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-verify\fR
-verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
+verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete\&.
 .SH "OPTIONS"
 .PP
 \-c \fIclass\fR
 .RS 4
-Specifies the DNS class of the zone.
+Specifies the DNS class of the zone\&.
 .RE
 .PP
 \-E \fIengine\fR
 .RS 4
-Specifies the cryptographic hardware to use, when applicable.
+Specifies the cryptographic hardware to use, when applicable\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-I \fIinput\-format\fR
 .RS 4
-The format of the input zone file. Possible formats are
+The format of the input zone file\&. Possible formats are
 \fB"text"\fR
 (default) and
-\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently. The use of this option does not make much sense for non\-dynamic zones.
+\fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently\&. The use of this option does not make much sense for non\-dynamic zones\&.
 .RE
 .PP
 \-o \fIorigin\fR
 .RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
+The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
 .RE
 .PP
 \-v \fIlevel\fR
 .RS 4
-Sets the debugging level.
+Sets the debugging level\&.
 .RE
 .PP
 \-V
 .RS 4
-Prints version information.
+Prints version information\&.
 .RE
 .PP
 \-x
 .RS 4
-Only verify that the DNSKEY RRset is signed with key\-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys. This corresponds to the
+Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the
 \fB\-x\fR
 option in
-\fBdnssec\-signzone\fR.
+\fBdnssec\-signzone\fR\&.
 .RE
 .PP
 \-z
 .RS 4
-Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.
+Ignore the KSK flag on the keys when determining whether the zone if correctly signed\&. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set\&.
 .sp
-With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes. This corresponds to the
+With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes\&. This corresponds to the
 \fB\-z\fR
 option in
-\fBdnssec\-signzone\fR.
+\fBdnssec\-signzone\fR\&.
 .RE
 .PP
 zonefile
 .RS 4
-The file containing the zone to be signed.
+The file containing the zone to be signed\&.
 .RE
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-signzone\fR(8),
+\fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 4033.
+RFC 4033\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/named/bind9.xsl.h	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/bind9.xsl.h	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: bind9.xsl.h,v 1.9 2016/03/10 04:01:33 christos Exp $	*/
+/*	$NetBSD: bind9.xsl.h,v 1.10 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
  * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
@@ -7,7 +7,7 @@
 static char xslmsg[] =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
 	"<!--\n"
-	" - Copyright (C) 2006-2009, 2012-2014, 2016 Internet Systems Consortium, Inc. (\"ISC\")\n"
+	" - Copyright (C) 2006-2009, 2012-2015 Internet Systems Consortium, Inc. (\"ISC\")\n"
 	" -\n"
 	" - Permission to use, copy, modify, and/or distribute this software for any\n"
 	" - purpose with or without fee is hereby granted, provided that the above\n"
--- a/external/bsd/bind/dist/bin/named/client.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.15 2016/03/10 04:01:33 christos Exp $	*/
+/*	$NetBSD: client.c,v 1.16 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -252,7 +252,7 @@
 static inline isc_boolean_t
 allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl);
 #ifdef ISC_PLATFORM_USESIT
-static void compute_sit(ns_client_t *client, isc_uint32_t when,
+static void compute_cookie(ns_client_t *client, isc_uint32_t when,
 			isc_uint32_t nonce, isc_buffer_t *buf);
 #endif
 
@@ -1007,6 +1007,12 @@
 		else if (client->view->preferred_glue == dns_rdatatype_aaaa)
 			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
 	}
+	if (preferred_glue == 0) {
+		if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+		else
+			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+	}
 
 #ifdef ALLOW_FILTER_AAAA
 	/*
@@ -1322,7 +1328,7 @@
 			 */
 			if (wouldlog) {
 				ns_client_log(client,
-					      NS_LOGCATEGORY_QUERY_EERRORS,
+					      NS_LOGCATEGORY_QUERY_ERRORS,
 					      NS_LOGMODULE_CLIENT,
 					      loglevel,
 					      "%s", log_buf);
@@ -1402,7 +1408,7 @@
 {
 	char nsid[BUFSIZ], *nsidp;
 #ifdef ISC_PLATFORM_USESIT
-	unsigned char sit[COOKIE_SIZE];
+	unsigned char cookie[COOKIE_SIZE];
 #endif
 	isc_result_t result;
 	dns_view_t *view;
@@ -1452,16 +1458,16 @@
 		isc_stdtime_t now;
 		isc_uint32_t nonce;
 
-		isc_buffer_init(&buf, sit, sizeof(sit));
+		isc_buffer_init(&buf, cookie, sizeof(cookie));
 		isc_stdtime_get(&now);
 		isc_random_get(&nonce);
 
-		compute_sit(client, now, nonce, &buf);
+		compute_cookie(client, now, nonce, &buf);
 
 		INSIST(count < DNS_EDNSOPTIONS);
 		ednsopts[count].code = DNS_OPT_COOKIE;
 		ednsopts[count].length = COOKIE_SIZE;
-		ednsopts[count].value = sit;
+		ednsopts[count].value = cookie;
 		count++;
 	}
 #endif
@@ -1563,8 +1569,8 @@
 
 #ifdef ISC_PLATFORM_USESIT
 static void
-compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
-	    isc_buffer_t *buf)
+compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
+	       isc_buffer_t *buf)
 {
 #ifdef AES_SIT
 	unsigned char digest[ISC_AES_BLOCK_LENGTH];
@@ -1667,7 +1673,7 @@
 }
 
 static void
-process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 	unsigned char dbuf[COOKIE_SIZE];
 	unsigned char *old;
 	isc_stdtime_t now;
@@ -1676,10 +1682,10 @@
 	isc_buffer_t db;
 
 	/*
-	 * If we have already seen a ECS option skip this ECS option.
+	 * If we have already seen a SIT option skip this SIT option.
 	 */
 	if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
-		isc_buffer_forward(buf, optlen);
+		isc_buffer_forward(buf, (isc_uint32_t)optlen);
 		return;
 	}
 	client->attributes |= NS_CLIENTATTR_WANTSIT;
@@ -1718,7 +1724,7 @@
 
 	/*
 	 * Allow for a 5 minute clock skew between servers sharing a secret.
-	 * Only accept SIT if we have talked to the client in the last hour.
+	 * Only accept COOKIE if we have talked to the client in the last hour.
 	 */
 	isc_stdtime_get(&now);
 	if (isc_serial_gt(when, (now + 300)) ||		/* In the future. */
@@ -1729,7 +1735,7 @@
 	}
 
 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
-	compute_sit(client, when, nonce, &db);
+	compute_cookie(client, when, nonce, &db);
 
 	if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
 		isc_stats_increment(ns_g_server->nsstats,
@@ -1805,7 +1811,7 @@
 				break;
 #ifdef ISC_PLATFORM_USESIT
 			case DNS_OPT_COOKIE:
-				process_sit(client, &optbuf, optlen);
+				process_cookie(client, &optbuf, optlen);
 				break;
 #endif
 			case DNS_OPT_EXPIRE:
@@ -2035,7 +2041,7 @@
 					       &client->opt);
 
 		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
 			      "message parsing failed: %s",
 			      isc_result_totext(result));
 		ns_client_error(client, result);
--- a/external/bsd/bind/dist/bin/named/config.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/config.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: config.c,v 1.12 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: config.c,v 1.13 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -107,9 +107,9 @@
 	transfers-per-ns 2;\n\
 	transfers-in 10;\n\
 	transfers-out 10;\n\
-	treat-cr-as-space true;\n\
-	use-id-pool true;\n\
-	use-ixfr true;\n\
+#	treat-cr-as-space <obsolete>;\n\
+#	use-id-pool <obsolete>;\n\
+#	use-ixfr <obsolete>;\n\
 	edns-udp-size 4096;\n\
 	max-udp-size 4096;\n\
 "
--- a/external/bsd/bind/dist/bin/named/control.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/control.c	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: control.c,v 1.10 2016/03/10 04:01:33 christos Exp $	*/
+/*	$NetBSD: control.c,v 1.11 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -26,6 +26,7 @@
 
 #include <isc/app.h>
 #include <isc/event.h>
+#include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/timer.h>
@@ -38,6 +39,7 @@
 #include <isccc/result.h>
 
 #include <named/control.h>
+#include <named/globals.h>
 #include <named/log.h>
 #include <named/os.h>
 #include <named/server.h>
@@ -45,15 +47,30 @@
 #include <named/ns_smf_globals.h>
 #endif
 
-static isc_boolean_t
-command_compare(const char *text, const char *command) {
-	unsigned int commandlen = strlen(command);
-	if (strncasecmp(text, command, commandlen) == 0 &&
-	    (text[commandlen] == '\0' ||
-	     text[commandlen] == ' ' ||
-	     text[commandlen] == '\t'))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
+static isc_result_t
+getcommand(isc_lex_t *lex, char **cmdp) {
+	isc_result_t result;
+	isc_token_t token;
+
+	REQUIRE(cmdp != NULL && *cmdp == NULL);
+
+	result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF, &token);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_lex_ungettoken(lex, &token);
+
+	if (token.type != isc_tokentype_string)
+		return (ISC_R_FAILURE);
+
+	*cmdp = token.value.as_textregion.base;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+command_compare(const char *str, const char *command) {
+	return ISC_TF(strcasecmp(str, command) == 0);
 }
 
 /*%
@@ -63,9 +80,12 @@
 isc_result_t
 ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
+	char *cmdline = NULL;
 	char *command = NULL;
 	isc_result_t result;
 	int log_level;
+	isc_buffer_t src;
+	isc_lex_t *lex = NULL;
 #ifdef HAVE_LIBSCF
 	ns_smf_want_disable = 0;
 #endif
@@ -78,7 +98,7 @@
 		return (ISC_R_FAILURE);
 	}
 
-	result = isccc_cc_lookupstring(data, "type", &command);
+	result = isccc_cc_lookupstring(data, "type", &cmdline);
 	if (result != ISC_R_SUCCESS) {
 		/*
 		 * We have no idea what this is.
@@ -86,6 +106,20 @@
 		return (result);
 	}
 
+	result = isc_lex_create(ns_g_mctx, strlen(cmdline), &lex);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_init(&src, cmdline, strlen(cmdline));
+	isc_buffer_add(&src, strlen(cmdline));
+	result = isc_lex_openbuffer(lex, &src);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = getcommand(lex, &command);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
 	/*
 	 * Compare the 'command' parameter against all known control commands.
 	 */
@@ -95,20 +129,21 @@
 	} else {
 		log_level = ISC_LOG_INFO;
 	}
+
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_CONTROL, log_level,
 		      "received control channel command '%s'",
 		      command);
 
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
-		result = ns_server_reloadcommand(ns_g_server, command, text);
+		result = ns_server_reloadcommand(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
 		result = ns_server_reconfigcommand(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
-		result = ns_server_refreshcommand(ns_g_server, command, text);
+		result = ns_server_refreshcommand(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
 		result = ns_server_retransfercommand(ns_g_server,
-						     command, text);
+						     lex, text);
 	} else if (command_compare(command, NS_COMMAND_HALT)) {
 #ifdef HAVE_LIBSCF
 		/*
@@ -118,7 +153,7 @@
 		 */
 		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
 			result = ns_smf_add_message(text);
-			return (result);
+			goto cleanup;
 		}
 		/*
 		 * If we are managed by smf(5) but not in chroot,
@@ -134,7 +169,7 @@
 #endif
 		/* Do not flush master files */
 		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
-		ns_os_shutdownmsg(command, text);
+		ns_os_shutdownmsg(cmdline, text);
 		isc_app_shutdown();
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_STOP)) {
@@ -145,54 +180,54 @@
 #ifdef HAVE_LIBSCF
 		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
 			result = ns_smf_add_message(text);
-			return (result);
+			goto cleanup;
 		}
 		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
 			ns_smf_want_disable = 1;
 #endif
 		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
-		ns_os_shutdownmsg(command, text);
+		ns_os_shutdownmsg(cmdline, text);
 		isc_app_shutdown();
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
 		result = ns_server_dumpstats(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
-		result = ns_server_togglequerylog(ns_g_server, command);
+		result = ns_server_togglequerylog(ns_g_server, lex);
 	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
-		ns_server_dumpdb(ns_g_server, command);
+		ns_server_dumpdb(ns_g_server, lex);
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
-		result = ns_server_dumpsecroots(ns_g_server, command);
+		result = ns_server_dumpsecroots(ns_g_server, lex);
 	} else if (command_compare(command, NS_COMMAND_TRACE)) {
-		result = ns_server_setdebuglevel(ns_g_server, command);
+		result = ns_server_setdebuglevel(ns_g_server, lex);
 	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
 		ns_g_debuglevel = 0;
 		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_FLUSH)) {
-		result = ns_server_flushcache(ns_g_server, command);
+		result = ns_server_flushcache(ns_g_server, lex);
 	} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
-		result = ns_server_flushnode(ns_g_server, command, ISC_FALSE);
+		result = ns_server_flushnode(ns_g_server, lex, ISC_FALSE);
 	} else if (command_compare(command, NS_COMMAND_FLUSHTREE)) {
-		result = ns_server_flushnode(ns_g_server, command, ISC_TRUE);
+		result = ns_server_flushnode(ns_g_server, lex, ISC_TRUE);
 	} else if (command_compare(command, NS_COMMAND_STATUS)) {
 		result = ns_server_status(ns_g_server, text);
 	} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
 		result = ns_server_tsiglist(ns_g_server, text);
 	} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
-		result = ns_server_tsigdelete(ns_g_server, command, text);
+		result = ns_server_tsigdelete(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
-		result = ns_server_freeze(ns_g_server, ISC_TRUE, command,
+		result = ns_server_freeze(ns_g_server, ISC_TRUE, lex,
 					  text);
 	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
 		   command_compare(command, NS_COMMAND_THAW)) {
-		result = ns_server_freeze(ns_g_server, ISC_FALSE, command,
+		result = ns_server_freeze(ns_g_server, ISC_FALSE, lex,
 					  text);
 	} else if (command_compare(command, NS_COMMAND_SCAN)) {
 		result = ISC_R_SUCCESS;
 		ns_server_scan_interfaces(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_SYNC)) {
-		result = ns_server_sync(ns_g_server, command, text);
+		result = ns_server_sync(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
 		result = ns_server_dumprecursing(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
@@ -201,20 +236,20 @@
 	} else if (command_compare(command, NS_COMMAND_NULL)) {
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
-		result = ns_server_notifycommand(ns_g_server, command, text);
+		result = ns_server_notifycommand(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
-		result = ns_server_validation(ns_g_server, command, text);
+		result = ns_server_validation(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_SIGN) ||
 		   command_compare(command, NS_COMMAND_LOADKEYS)) {
-		result = ns_server_rekey(ns_g_server, command, text);
+		result = ns_server_rekey(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
-		result = ns_server_add_zone(ns_g_server, command, text);
+		result = ns_server_add_zone(ns_g_server, cmdline, text);
 	} else if (command_compare(command, NS_COMMAND_DELZONE)) {
-		result = ns_server_del_zone(ns_g_server, command, text);
+		result = ns_server_del_zone(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_SIGNING)) {
-		result = ns_server_signing(ns_g_server, command, text);
+		result = ns_server_signing(ns_g_server, lex, text);
 	} else if (command_compare(command, NS_COMMAND_ZONESTATUS)) {
-		result = ns_server_zonestatus(ns_g_server, command, text);
+		result = ns_server_zonestatus(ns_g_server, lex, text);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
@@ -223,5 +258,9 @@
 		result = DNS_R_UNKNOWNCOMMAND;
 	}
 
+ cleanup:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+
 	return (result);
 }
--- a/external/bsd/bind/dist/bin/named/controlconf.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/controlconf.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: controlconf.c,v 1.11 2016/03/10 04:01:33 christos Exp $	*/
+/*	$NetBSD: controlconf.c,v 1.12 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2008, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -549,6 +549,10 @@
 
 	conn->sock = sock;
 	isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
+
+	/* Set a 32 KiB upper limit on incoming message. */
+	isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768);
+
 	conn->ccmsg_valid = ISC_TRUE;
 	conn->sending = ISC_FALSE;
 	conn->timer = NULL;
--- a/external/bsd/bind/dist/bin/named/include/named/log.h	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/log.h	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: log.h,v 1.4 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: log.h,v 1.5 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -38,7 +38,7 @@
 #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
 #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
 #define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
-#define NS_LOGCATEGORY_QUERY_EERRORS	(&ns_g_categories[7])
+#define NS_LOGCATEGORY_QUERY_ERRORS	(&ns_g_categories[7])
 
 /*
  * Backwards compatibility.
--- a/external/bsd/bind/dist/bin/named/include/named/query.h	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/query.h	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: query.h,v 1.6 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: query.h,v 1.7 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2010, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010, 2011, 2013, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -48,6 +48,7 @@
 	isc_boolean_t			timerset;
 	dns_name_t *			qname;
 	dns_name_t *			origqname;
+	dns_rdatatype_t			qtype;
 	unsigned int			dboptions;
 	unsigned int			fetchoptions;
 	dns_db_t *			gluedb;
--- a/external/bsd/bind/dist/bin/named/include/named/server.h	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/server.h	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: server.h,v 1.10 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: server.h,v 1.11 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: server.h,v 1.118 2012/01/31 23:47:31 tbox Exp  */
-
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
 
@@ -233,7 +231,8 @@
  */
 
 isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_reloadcommand(ns_server_t *server, isc_lex_t *lex,
+			isc_buffer_t *text);
 /*%<
  * Act on a "reload" command from the command channel.
  */
@@ -245,26 +244,28 @@
  */
 
 isc_result_t
-ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_notifycommand(ns_server_t *server, isc_lex_t *lex,
+			isc_buffer_t *text);
 /*%<
  * Act on a "notify" command from the command channel.
  */
 
 isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_refreshcommand(ns_server_t *server, isc_lex_t *lex,
+			 isc_buffer_t *text);
 /*%<
  * Act on a "refresh" command from the command channel.
  */
 
 isc_result_t
-ns_server_retransfercommand(ns_server_t *server, char *args,
+ns_server_retransfercommand(ns_server_t *server, isc_lex_t *lex,
 			    isc_buffer_t *text);
 /*%<
  * Act on a "retransfer" command from the command channel.
  */
 
 isc_result_t
-ns_server_togglequerylog(ns_server_t *server, char *args);
+ns_server_togglequerylog(ns_server_t *server, isc_lex_t *lex);
 /*%<
  * Enable/disable logging of queries.  (Takes "yes" or "no" argument,
  * but can also be used as a toggle for backward comptibility.)
@@ -280,25 +281,25 @@
  * Dump the current cache to the dump file.
  */
 isc_result_t
-ns_server_dumpdb(ns_server_t *server, char *args);
+ns_server_dumpdb(ns_server_t *server, isc_lex_t *lex);
 
 /*%
  * Dump the current security roots to the secroots file.
  */
 isc_result_t
-ns_server_dumpsecroots(ns_server_t *server, char *args);
+ns_server_dumpsecroots(ns_server_t *server, isc_lex_t *lex);
 
 /*%
  * Change or increment the server debug level.
  */
 isc_result_t
-ns_server_setdebuglevel(ns_server_t *server, char *args);
+ns_server_setdebuglevel(ns_server_t *server, isc_lex_t *lex);
 
 /*%
  * Flush the server's cache(s)
  */
 isc_result_t
-ns_server_flushcache(ns_server_t *server, char *args);
+ns_server_flushcache(ns_server_t *server, isc_lex_t *lex);
 
 /*%
  * Flush a particular name from the server's cache.  If 'tree' is false,
@@ -306,7 +307,8 @@
  * flush all the names under the specified name.
  */
 isc_result_t
-ns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree);
+ns_server_flushnode(ns_server_t *server, isc_lex_t *lex,
+		    isc_boolean_t tree);
 
 /*%
  * Report the server's status.
@@ -324,20 +326,21 @@
  * Delete a specific key (with optional view).
  */
 isc_result_t
-ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text);
+ns_server_tsigdelete(ns_server_t *server, isc_lex_t *lex,
+		     isc_buffer_t *text);
 
 /*%
  * Enable or disable updates for a zone.
  */
 isc_result_t
-ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
-		 isc_buffer_t *text);
+ns_server_freeze(ns_server_t *server, isc_boolean_t freeze,
+		 isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Dump zone updates to disk, optionally removing the journal file
  */
 isc_result_t
-ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Update a zone's DNSKEY set from the key repository.  If
@@ -347,7 +350,7 @@
  * take place incrementally.
  */
 isc_result_t
-ns_server_rekey(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_rekey(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Dump the current recursive queries.
@@ -365,7 +368,7 @@
  * Enable or disable dnssec validation.
  */
 isc_result_t
-ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_validation(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Add a zone to a running process
@@ -377,18 +380,18 @@
  * Deletes a zone from a running process
  */
 isc_result_t
-ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Lists the status of the signing records for a given zone.
  */
 isc_result_t
-ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_signing(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 
 /*%
  * Lists status information for a given zone (e.g., name, type, files,
  * load time, expiry, etc).
  */
 isc_result_t
-ns_server_zonestatus(ns_server_t *server, char *args, isc_buffer_t *text);
+ns_server_zonestatus(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text);
 #endif /* NAMED_SERVER_H */
--- a/external/bsd/bind/dist/bin/named/lwdgrbn.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/lwdgrbn.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: lwdgrbn.c,v 1.6 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: lwdgrbn.c,v 1.7 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -186,7 +186,7 @@
 	if (oldlens != NULL)
 		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
 	if (newrdatas != NULL)
-		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
+		isc_mem_put(mctx, newrdatas, used * sizeof(*newrdatas));
 	return (result);
 }
 
--- a/external/bsd/bind/dist/bin/named/lwresd.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/lwresd.8	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: lwresd.8,v 1.5 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: lwresd.8,v 1.6 2016/05/26 16:49:56 christos Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -15,70 +15,85 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
+'\" t
 .\"     Title: lwresd
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 20, 2009
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2009-01-20
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "LWRESD" "8" "January 20, 2009" "BIND9" "BIND9"
+.TH "LWRESD" "8" "2009\-01\-20" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 lwresd \- lightweight resolver daemon
 .SH "SYNOPSIS"
-.HP 7
+.HP \w'\fBlwresd\fR\ 'u
 \fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-4\fR] [\fB\-6\fR]
 .SH "DESCRIPTION"
 .PP
 \fBlwresd\fR
-is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.
+is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library\&. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol\&.
 .PP
 \fBlwresd\fR
-listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that
+listens for resolver queries on a UDP port on the IPv4 loopback interface, 127\&.0\&.0\&.1\&. This means that
 \fBlwresd\fR
-can only be used by processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses.
+can only be used by processes running on the local machine\&. By default, UDP port number 921 is used for lightweight resolver requests and responses\&.
 .PP
-Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes,
+Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol\&. When the DNS lookup completes,
 \fBlwresd\fR
-encodes the answers in the lightweight resolver format and returns them to the client that made the request.
+encodes the answers in the lightweight resolver format and returns them to the client that made the request\&.
 .PP
 If
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 contains any
 \fBnameserver\fR
 entries,
 \fBlwresd\fR
-sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no
+sends recursive DNS queries to those servers\&. This is similar to the use of forwarders in a caching name server\&. If no
 \fBnameserver\fR
 entries are present, or if forwarding fails,
 \fBlwresd\fR
-resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
+resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints\&.
 .SH "OPTIONS"
 .PP
 \-4
 .RS 4
-Use IPv4 only even if the host machine is capable of IPv6.
+Use IPv4 only even if the host machine is capable of IPv6\&.
 \fB\-4\fR
 and
 \fB\-6\fR
-are mutually exclusive.
+are mutually exclusive\&.
 .RE
 .PP
 \-6
 .RS 4
-Use IPv6 only even if the host machine is capable of IPv4.
+Use IPv6 only even if the host machine is capable of IPv4\&.
 \fB\-4\fR
 and
 \fB\-6\fR
-are mutually exclusive.
+are mutually exclusive\&.
 .RE
 .PP
 \-c \fIconfig\-file\fR
@@ -86,10 +101,10 @@
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
-\fI/etc/lwresd.conf\fR.
+/etc/lwresd\&.conf\&.
 \fB\-c\fR
 can not be used with
-\fB\-C\fR.
+\fB\-C\fR\&.
 .RE
 .PP
 \-C \fIconfig\-file\fR
@@ -97,29 +112,29 @@
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
-\fI/etc/resolv.conf\fR.
+/etc/resolv\&.conf\&.
 \fB\-C\fR
 can not be used with
-\fB\-c\fR.
+\fB\-c\fR\&.
 .RE
 .PP
 \-d \fIdebug\-level\fR
 .RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
+Set the daemon\*(Aqs debug level to
+\fIdebug\-level\fR\&. Debugging traces from
 \fBlwresd\fR
-become more verbose as the debug level increases.
+become more verbose as the debug level increases\&.
 .RE
 .PP
 \-f
 .RS 4
-Run the server in the foreground (i.e. do not daemonize).
+Run the server in the foreground (i\&.e\&. do not daemonize)\&.
 .RE
 .PP
 \-g
 .RS 4
 Run the server in the foreground and force all logging to
-\fIstderr\fR.
+stderr\&.
 .RE
 .PP
 \-i \fIpid\-file\fR
@@ -127,49 +142,60 @@
 Use
 \fIpid\-file\fR
 as the PID file instead of the default,
-\fI/var/run/lwresd/lwresd.pid\fR.
+/var/run/lwresd/lwresd\&.pid\&.
 .RE
 .PP
 \-m \fIflag\fR
 .RS 4
-Turn on memory usage debugging flags. Possible flags are
+Turn on memory usage debugging flags\&. Possible flags are
 \fIusage\fR,
 \fItrace\fR,
 \fIrecord\fR,
 \fIsize\fR, and
-\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
-\fI<isc/mem.h>\fR.
+\fImctx\fR\&. These correspond to the ISC_MEM_DEBUGXXXX flags described in
+<isc/mem\&.h>\&.
 .RE
 .PP
 \-n \fI#cpus\fR
 .RS 4
 Create
 \fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
+worker threads to take advantage of multiple CPUs\&. If not specified,
 \fBlwresd\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
+will try to determine the number of CPUs present and create one thread per CPU\&. If it is unable to determine the number of CPUs, a single worker thread will be created\&.
 .RE
 .PP
 \-P \fIport\fR
 .RS 4
 Listen for lightweight resolver queries on port
-\fIport\fR. If not specified, the default is port 921.
+\fIport\fR\&. If not specified, the default is port 921\&.
 .RE
 .PP
 \-p \fIport\fR
 .RS 4
 Send DNS lookups to port
-\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
+\fIport\fR\&. If not specified, the default is port 53\&. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number\&.
 .RE
 .PP
 \-s
 .RS 4
 Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
+stdout
+on exit\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -177,14 +203,25 @@
 .RS 4
 Chroot to
 \fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
+after processing the command line arguments, but before reading the configuration file\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
 This option should be used in conjunction with the
 \fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
+option, as chrooting a process running as root doesn\*(Aqt enhance security on most systems; the way
 \fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
+is defined allows a process with root privileges to escape a chroot jail\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -192,34 +229,35 @@
 .RS 4
 Setuid to
 \fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
+after completing privileged operations, such as creating sockets that listen on privileged ports\&.
 .RE
 .PP
 \-v
 .RS 4
-Report the version number and exit.
+Report the version number and exit\&.
 .RE
 .SH "FILES"
 .PP
-\fI/etc/resolv.conf\fR
+/etc/resolv\&.conf
 .RS 4
-The default configuration file.
+The default configuration file\&.
 .RE
 .PP
-\fI/var/run/lwresd.pid\fR
+/var/run/lwresd\&.pid
 .RS 4
-The default process\-id file.
+The default process\-id file\&.
 .RE
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
 \fBlwres\fR(3),
-\fBresolver\fR(5).
+\fBresolver\fR(5)\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/main.c	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Thu May 26 16:49:55 2016 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: main.c,v 1.19 2015/12/17 04:00:41 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.20 2016/05/26 16:49:56 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -309,11 +309,13 @@
 lwresd_usage(void) {
 	fprintf(stderr,
 		"usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] "
-		"[-d debuglevel]\n"
-		"              [-f|-g] [-n number_of_cpus] [-p port] "
-		"[-P listen-port] [-s]\n"
-		"              [-t chrootdir] [-u username] [-i pidfile]\n"
-		"              [-m {usage|trace|record|size|mctx}]\n");
+		"[-d debuglevel] [-f|-g]\n"
+		"              [-i pidfile] [-n number_of_cpus] "
+		"[-p port] [-P listen-port]\n"
+		"              [-s] [-S sockets] [-t chrootdir] [-u username] "
+		"[-U listeners]\n"
+		"              [-m {usage|trace|record|size|mctx}]\n"
+		"usage: lwresd [-v|-V]\n");
 }
 
 static void
@@ -326,8 +328,10 @@
 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
 		"[-E engine] [-f|-g]\n"
 		"             [-n number_of_cpus] [-p port] [-s] "
-		"[-t chrootdir] [-u username]\n"
-		"             [-m {usage|trace|record|size|mctx}]\n");
+		"[-S sockets] [-t chrootdir]\n"
+		"             [-u username] [-U listeners] "
+		"[-m {usage|trace|record|size|mctx}]\n"
+		"usage: named [-v|-V]\n");
 }
 
 static void
@@ -636,6 +640,7 @@
 			printf("%s %s%s%s <id:%s>\n", ns_g_product, ns_g_version,
 			       (*ns_g_description != '\0') ? " " : "",
 			       ns_g_description, ns_g_srcid);
+			printf("running on %s\n", ns_os_uname());
 			printf("built by %s with %s\n",
 			       ns_g_builder, ns_g_configargs);
 #ifdef __clang__
@@ -667,7 +672,7 @@
 			printf("linked to libxml2 version: %s\n",
 			       xmlParserVersion);
 #endif
-#ifdef HAVE_JSON
+#if defined(HAVE_JSON) && defined(JSON_C_VERSION)
 			printf("compiled with libjson-c version: %s\n",
 			       JSON_C_VERSION);
 			printf("linked to libjson-c version: %s\n",
@@ -710,6 +715,8 @@
 	isc_result_t result;
 	unsigned int socks;
 
+	INSIST(ns_g_cpus_detected > 0);
+
 #ifdef ISC_PLATFORM_USETHREADS
 	if (ns_g_cpus == 0)
 		ns_g_cpus = ns_g_cpus_detected;
@@ -726,10 +733,8 @@
 	if (ns_g_udpdisp == 0) {
 		if (ns_g_cpus_detected == 1)
 			ns_g_udpdisp = 1;
-		else if (ns_g_cpus_detected < 4)
-			ns_g_udpdisp = 2;
 		else
-			ns_g_udpdisp = ns_g_cpus_detected / 2;
+			ns_g_udpdisp = ns_g_cpus_detected - 1;
 	}
 	if (ns_g_udpdisp > ns_g_cpus)
 		ns_g_udpdisp = ns_g_cpus;
@@ -996,6 +1001,9 @@
 		      ns_g_srcid, saved_command_line);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_NOTICE, "running on %s", ns_os_uname());
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
--- a/external/bsd/bind/dist/bin/named/named.8	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/named.8	Thu May 26 16:49:55 2016 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: named.8,v 1.8 2015/12/17 04:00:41 christos Exp $
+.\"	$NetBSD: named.8,v 1.9 2016/05/26 16:49:56 christos Exp $
 .\"
 .\" Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
@@ -15,54 +15,69 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
+'\" t
 .\"     Title: named
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 19, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "NAMED" "8" "February 19, 2014" "BIND9" "BIND9"
+.TH "NAMED" "8" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 named \- Internet domain name server
 .SH "SYNOPSIS"
-.HP 6
+.HP \w'\fBnamed\fR\ 'u
 \fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\fR
-is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.
+is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC\&. For more information on the DNS, see RFCs 1033, 1034, and 1035\&.
 .PP
 When invoked without arguments,
 \fBnamed\fR
 will read the default configuration file
-\fI/etc/named.conf\fR, read any initial data, and listen for queries.
+/etc/named\&.conf, read any initial data, and listen for queries\&.
 .SH "OPTIONS"
 .PP
 \-4
 .RS 4
-Use IPv4 only even if the host machine is capable of IPv6.
+Use IPv4 only even if the host machine is capable of IPv6\&.
 \fB\-4\fR
 and
 \fB\-6\fR
-are mutually exclusive.
+are mutually exclusive\&.
 .RE
 .PP
 \-6
 .RS 4
-Use IPv6 only even if the host machine is capable of IPv4.
+Use IPv6 only even if the host machine is capable of IPv4\&.
 \fB\-4\fR
 and
 \fB\-6\fR
-are mutually exclusive.
+are mutually exclusive\&.
 .RE
 .PP
 \-c \fIconfig\-file\fR
@@ -70,88 +85,99 @@
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
-\fI/etc/named.conf\fR. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
+/etc/named\&.conf\&. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
 \fBdirectory\fR
 option in the configuration file,
 \fIconfig\-file\fR
-should be an absolute pathname.
+should be an absolute pathname\&.
 .RE
 .PP
 \-d \fIdebug\-level\fR
 .RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
+Set the daemon\*(Aqs debug level to
+\fIdebug\-level\fR\&. Debugging traces from
 \fBnamed\fR
-become more verbose as the debug level increases.
+become more verbose as the debug level increases\&.
 .RE
 .PP
 \-D \fIstring\fR
 .RS 4
 Specifies a string that is used to identify a instance of
 \fBnamed\fR
-in a process listing. The contents of
+in a process listing\&. The contents of
 \fIstring\fR
-are not examined.
+are not examined\&.
 .RE
 .PP
 \-E \fIengine\-name\fR
 .RS 4
-When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.
+When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing\&.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11".
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
 .RE
 .PP
 \-f
 .RS 4
-Run the server in the foreground (i.e. do not daemonize).
+Run the server in the foreground (i\&.e\&. do not daemonize)\&.
 .RE
 .PP
 \-g
 .RS 4
 Run the server in the foreground and force all logging to
-\fIstderr\fR.
+stderr\&.
 .RE
 .PP
 \-M \fIoption\fR
 .RS 4
-Sets the default memory context options. Currently the only supported option is
-\fIexternal\fR, which causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions.
+Sets the default memory context options\&. Currently the only supported option is
+\fIexternal\fR, which causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions\&.
 .RE
 .PP
 \-m \fIflag\fR
 .RS 4
-Turn on memory usage debugging flags. Possible flags are
+Turn on memory usage debugging flags\&. Possible flags are
 \fIusage\fR,
 \fItrace\fR,
 \fIrecord\fR,
 \fIsize\fR, and
-\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
-\fI<isc/mem.h>\fR.
+\fImctx\fR\&. These correspond to the ISC_MEM_DEBUGXXXX flags described in
+<isc/mem\&.h>\&.
 .RE
 .PP
 \-n \fI#cpus\fR
 .RS 4
 Create
 \fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
+worker threads to take advantage of multiple CPUs\&. If not specified,
 \fBnamed\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
+will try to determine the number of CPUs present and create one thread per CPU\&. If it is unable to determine the number of CPUs, a single worker thread will be created\&.
 .RE
 .PP
 \-p \fIport\fR
 .RS 4
 Listen for queries on port
-\fIport\fR. If not specified, the default is port 53.
+\fIport\fR\&. If not specified, the default is port 53\&.
 .RE
 .PP
 \-s
 .RS 4
 Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
+stdout
+on exit\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -161,12 +187,23 @@
 \fBnamed\fR
 to use up to
 \fI#max\-socks\fR
-sockets. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large".
-.RS
-.B "Warning:"
-This option should be unnecessary for the vast majority of users. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets. Note also that the actual maximum number is normally a little fewer than the specified value because
+sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+This option should be unnecessary for the vast majority of users\&. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API\&. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets\&. Note also that the actual maximum number is normally a little fewer than the specified value because
 \fBnamed\fR
-reserves some file descriptors for its internal use.
+reserves some file descriptors for its internal use\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -174,14 +211,25 @@
 .RS 4
 Chroot to
 \fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
+after processing the command line arguments, but before reading the configuration file\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
 This option should be used in conjunction with the
 \fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
+option, as chrooting a process running as root doesn\*(Aqt enhance security on most systems; the way
 \fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
+is defined allows a process with root privileges to escape a chroot jail\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -189,115 +237,138 @@
 .RS 4
 Use
 \fI#listeners\fR
-worker threads to listen for incoming UDP packets on each address. If not specified,
+worker threads to listen for incoming UDP packets on each address\&. If not specified,
 \fBnamed\fR
-will calculate a default value based on the number of detected CPUs: 1 for 1 CPU, 2 for 2\-4 CPUs, and the number of detected CPUs divided by 2 for values higher than 4. If
+will calculate a default value based on the number of detected CPUs: 1 for 1 CPU, and the number of detected CPUs minus one for machines with more than 1 CPU\&. This cannot be increased to a value higher than the number of CPUs\&. If
 \fB\-n\fR
 has been set to a higher value than the number of detected CPUs, then
 \fB\-U\fR
-may be increased as high as that value, but no higher.
+may be increased as high as that value, but no higher\&. On Windows, the number of UDP listeners is hardwired to 1 and this option has no effect\&.
 .RE
 .PP
 \-u \fIuser\fR
 .RS 4
 Setuid to
 \fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.RS
-.B "Note:"
+after completing privileged operations, such as creating sockets that listen on privileged ports\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
 On Linux,
 \fBnamed\fR
-uses the kernel's capability mechanism to drop all root privileges except the ability to
+uses the kernel\*(Aqs capability mechanism to drop all root privileges except the ability to
 \fBbind(2)\fR
-to a privileged port and set process resource limits. Unfortunately, this means that the
+to a privileged port and set process resource limits\&. Unfortunately, this means that the
 \fB\-u\fR
 option only works when
 \fBnamed\fR
-is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
-\fBsetuid(2)\fR.
+is run on kernel 2\&.2\&.18 or later, or kernel 2\&.3\&.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
+\fBsetuid(2)\fR\&.
+.sp .5v
 .RE
 .RE
 .PP
 \-v
 .RS 4
-Report the version number and exit.
+Report the version number and exit\&.
 .RE
 .PP
 \-V
 .RS 4
-Report the version number and build options, and exit.
+Report the version number and build options, and exit\&.
 .RE
 .PP
 \-x \fIcache\-file\fR
 .RS 4
 Load data from
 \fIcache\-file\fR
-into the cache of the default view.
-.RS
-.B "Warning:"
-This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
+into the cache of the default view\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+This option must not be used\&. It is only of interest to BIND 9 developers and may be removed or changed in a future release\&.
+.sp .5v
 .RE
 .RE
 .SH "SIGNALS"
 .PP
 In routine operation, signals should not be used to control the nameserver;
 \fBrndc\fR
-should be used instead.
+should be used instead\&.
 .PP
 SIGHUP
 .RS 4
-Force a reload of the server.
+Force a reload of the server\&.
 .RE
 .PP
 SIGINT, SIGTERM
 .RS 4
-Shut down the server.
+Shut down the server\&.
 .RE
 .PP
-The result of sending any other signals to the server is undefined.
+The result of sending any other signals to the server is undefined\&.
 .SH "CONFIGURATION"
 .PP
 The
 \fBnamed\fR
-configuration file is too complex to describe in detail here. A complete description is provided in the
-BIND 9 Administrator Reference Manual.
+configuration file is too complex to describe in detail here\&. A complete description is provided in the
+BIND 9 Administrator Reference Manual\&.
 .PP
 \fBnamed\fR
 inherits the
 \fBumask\fR
-(file creation mode mask) from the parent process. If files created by
+(file creation mode mask) from the parent process\&. If files created by
 \fBnamed\fR, such as journal files, need to have custom permissions, the
 \fBumask\fR
 should be set explicitly in the script used to start the
 \fBnamed\fR
-process.
+process\&.
 .SH "FILES"
 .PP
-\fI/etc/named.conf\fR
+/etc/named\&.conf
 .RS 4
-The default configuration file.
+The default configuration file\&.
 .RE
 .PP
-\fI/var/run/named/named.pid\fR
+/var/run/named/named\&.pid
 .RS 4
-The default process\-id file.
+The default process\-id file\&.
 .RE
 .SH "SEE ALSO"
 .PP
 RFC 1033,
 RFC 1034,
 RFC 1035,
-\fBnamed\-checkconf\fR(8),
-\fBnamed\-checkzone\fR(8),
+\fBnamed-checkconf\fR(8),
+\fBnamed-checkzone\fR(8),
 \fBrndc\fR(8),
 \fBlwresd\fR(8),
 \fBnamed.conf\fR(5),
-BIND 9 Administrator Reference Manual.
+BIND 9 Administrator Reference Manual\&.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/named.conf.5	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.5	Thu May 26 16:49:55 2016 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named.conf.5,v 1.13 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: named.conf.5,v 1.14 2016/05/26 16:49:56 christos Exp $
 .\"
-.\" Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,32 +14,47 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id
-.\"
 .hy 0
 .ad l
-.\"     Title: \fInamed.conf\fR
+'\" t
+.\"     Title: named.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 08, 2014
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-08
 .\"    Manual: BIND9
-.\"    Source: BIND9
+.\"    Source: ISC
+.\"  Language: English
 .\"
-.TH "\fINAMED.CONF\fR" "5" "January 08, 2014" "BIND9" "BIND9"
+.TH "NAMED\&.CONF" "5" "2014\-01\-08" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
 .SH "NAME"
 named.conf \- configuration file for named
 .SH "SYNOPSIS"
-.HP 11
-\fBnamed.conf\fR
+.HP \w'\fBnamed\&.conf\fR\ 'u
+\fBnamed\&.conf\fR
 .SH "DESCRIPTION"
 .PP
-\fInamed.conf\fR
+named\&.conf
 is the configuration file for
-\fBnamed\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
+\fBnamed\fR\&. Statements are enclosed in braces and terminated with a semi\-colon\&. Clauses in the statements are also semi\-colon terminated\&. The usual comment styles are supported:
 .PP
 C style: /* */
 .PP
@@ -48,34 +63,48 @@
 Unix style: # to end of line
 .SH "ACL"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
-acl \fIstring\fR { \fIaddress_match_element\fR; ... };
+acl \fIstring\fR { \fIaddress_match_element\fR; \&.\&.\&. };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "KEY"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 key \fIdomain_name\fR {
 	algorithm \fIstring\fR;
 	secret \fIstring\fR;
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "MASTERS"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 masters \fIstring\fR [ port \fIinteger\fR ] {
 	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
+	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; \&.\&.\&.
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "SERVER"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
 	bogus \fIboolean\fR;
@@ -94,41 +123,57 @@
 	support\-ixfr \fIboolean\fR; // obsolete
 };
 .fi
+.if n \{\
 .RE
-.SH "TRUSTED\-KEYS"
+.\}
+.SH "TRUSTED-KEYS"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
+	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
 };
 .fi
+.if n \{\
 .RE
-.SH "MANAGED\-KEYS"
+.\}
+.SH "MANAGED-KEYS"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 managed\-keys {
-	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
+	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "CONTROLS"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 controls {
 	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; ... }
-		[ keys { \fIstring\fR; ... } ];
+		allow { \fIaddress_match_element\fR; \&.\&.\&. }
+		[ keys { \fIstring\fR; \&.\&.\&. } ];
 	unix \fIunsupported\fR; // not implemented
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "LOGGING"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 logging {
 	channel \fIstring\fR {
@@ -141,32 +186,40 @@
 		print\-severity \fIboolean\fR;
 		print\-category \fIboolean\fR;
 	};
-	category \fIstring\fR { \fIstring\fR; ... };
+	category \fIstring\fR { \fIstring\fR; \&.\&.\&. };
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "LWRES"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 lwres {
 	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; ... };
+	search { \fIstring\fR; \&.\&.\&. };
 	ndots \fIinteger\fR;
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "OPTIONS"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 options {
-	avoid\-v4\-udp\-ports { \fIport\fR; ... };
-	avoid\-v6\-udp\-ports { \fIport\fR; ... };
-	blackhole { \fIaddress_match_element\fR; ... };
+	avoid\-v4\-udp\-ports { \fIport\fR; \&.\&.\&. };
+	avoid\-v6\-udp\-ports { \fIport\fR; \&.\&.\&. };
+	blackhole { \fIaddress_match_element\fR; \&.\&.\&. };
 	coresize \fIsize\fR;
 	datasize \fIsize\fR;
 	directory \fIquoted_string\fR;
@@ -177,8 +230,8 @@
 	host\-statistics\-max \fInumber\fR; // not implemented
 	hostname ( \fIquoted_string\fR | none );
 	interface\-interval \fIinteger\fR;
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
+	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
+	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. };
 	match\-mapped\-addresses \fIboolean\fR;
 	memstatistics\-file \fIquoted_string\fR;
 	pid\-file ( \fIquoted_string\fR | none );
@@ -202,18 +255,17 @@
 	transfers\-per\-ns \fIinteger\fR;
 	transfers\-in \fIinteger\fR;
 	transfers\-out \fIinteger\fR;
-	use\-ixfr \fIboolean\fR;
 	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
 	minimal\-responses \fIboolean\fR;
 	recursion \fIboolean\fR;
 	rrset\-order {
 		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
+		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
 	};
 	provide\-ixfr \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
@@ -248,13 +300,13 @@
 	dual\-stack\-servers [ port \fIinteger\fR ] {
 		( \fIquoted_string\fR [port \fIinteger\fR] |
 		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
+		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
 	};
 	edns\-udp\-size \fIinteger\fR;
 	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; ... };
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
@@ -276,13 +328,13 @@
 	disable\-empty\-zone \fIstring\fR;
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
 	update\-check\-ksk \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	masterfile\-format ( text | raw | map );
@@ -292,12 +344,12 @@
 	notify\-delay \fIseconds\fR;
 	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
+		[ port \fIinteger\fR ]; \&.\&.\&.
+		[ key \fIkeyname\fR ] \&.\&.\&. };
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	forward ( first | only );
 	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
@@ -331,6 +383,7 @@
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	automatic\-interface\-scan \fIboolean\fR;
 	deny\-answer\-addresses {
 		\fIaddress_match_list\fR
 	} [ except\-from { \fInamelist\fR } ];
@@ -338,7 +391,7 @@
 		\fInamelist\fR
 	} [ except\-from { \fInamelist\fR } ];
 	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
+	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
 	fake\-iquery \fIboolean\fR; // obsolete
 	fetch\-glue \fIboolean\fR; // obsolete
@@ -350,41 +403,46 @@
 	serial\-queries \fIinteger\fR; // obsolete
 	treat\-cr\-as\-space \fIboolean\fR; // obsolete
 	use\-id\-pool \fIboolean\fR; // obsolete
+	use\-ixfr \fIboolean\fR; // obsolete
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "VIEW"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; ... };
-	match\-destinations { \fIaddress_match_element\fR; ... };
+	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
+	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
 	match\-recursive\-only \fIboolean\fR;
 	key \fIstring\fR {
 		algorithm \fIstring\fR;
 		secret \fIstring\fR;
 	};
 	zone \fIstring\fR \fIoptional_class\fR {
-		...
+		\&.\&.\&.
 	};
 	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-		...
+		\&.\&.\&.
 	};
 	trusted\-keys {
 		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
-		[...]
+		[\&.\&.\&.]
 	};
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
+	allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	topology { \fIaddress_match_element\fR; \&.\&.\&. }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
 	minimal\-responses \fIboolean\fR;
 	recursion \fIboolean\fR;
 	rrset\-order {
 		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
+		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&.
 	};
 	provide\-ixfr \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
@@ -419,13 +477,13 @@
 	dual\-stack\-servers [ port \fIinteger\fR ] {
 		( \fIquoted_string\fR [port \fIinteger\fR] |
 		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
+		\fIipv6_address\fR [port \fIinteger\fR] ); \&.\&.\&.
 	};
 	edns\-udp\-size \fIinteger\fR;
 	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	disable\-ds\-digests \fIstring\fR { \fIstring\fR; ... };
+	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	disable\-algorithms \fIstring\fR { \fIstring\fR; \&.\&.\&. };
+	disable\-ds\-digests \fIstring\fR { \fIstring\fR; \&.\&.\&. };
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
@@ -447,13 +505,13 @@
 	disable\-empty\-zone \fIstring\fR;
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
 	update\-check\-ksk \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	masterfile\-format ( text | raw | map );
@@ -463,12 +521,12 @@
 	notify\-delay \fIseconds\fR;
 	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
+		[ port \fIinteger\fR ]; \&.\&.\&.
+		[ key \fIkeyname\fR ] \&.\&.\&. };
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	forward ( first | only );
 	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
@@ -496,16 +554,20 @@
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
+	allow\-v6\-synthesis { \fIaddress_match_element\fR; \&.\&.\&. }; // obsolete
 	fetch\-glue \fIboolean\fR; // obsolete
 	maintain\-ixfr\-base \fIboolean\fR; // obsolete
 	max\-ixfr\-log\-size \fIsize\fR; // obsolete
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "ZONE"
 .sp
+.if n \{\
 .RS 4
+.\}
 .nf
 zone \fIstring\fR \fIoptional_class\fR {
 	type ( master | slave | stub | hint | redirect |
@@ -514,7 +576,7 @@
 	masters [ port \fIinteger\fR ] {
 		( \fImasters\fR |
 		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ...
+		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&.
 	};
 	database \fIstring\fR;
 	delegation\-only \fIboolean\fR;
@@ -528,18 +590,18 @@
 	journal \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	allow\-query { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-query\-on { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-transfer { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update { \fIaddress_match_element\fR; \&.\&.\&. };
+	allow\-update\-forwarding { \fIaddress_match_element\fR; \&.\&.\&. };
 	update\-policy \fIlocal\fR | \fI {
 		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
 		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
 		\fR\fI\fIrrtypelist\fR\fR\fI;
-		\fR\fI[...]\fR\fI
+		\fR\fI[\&.\&.\&.]\fR\fI
 	}\fR;
 	update\-check\-ksk \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
@@ -550,12 +612,12 @@
 	notify\-delay \fIseconds\fR;
 	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
+		[ port \fIinteger\fR ]; \&.\&.\&.
+		[ key \fIkeyname\fR ] \&.\&.\&. };
+	allow\-notify { \fIaddress_match_element\fR; \&.\&.\&. };
 	forward ( first | only );
 	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&.
 	};
 	max\-journal\-size \fIsize_no_default\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
@@ -589,16 +651,22 @@
 	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
 };
 .fi
+.if n \{\
 .RE
+.\}
 .SH "FILES"
 .PP
-\fI/etc/named.conf\fR
+/etc/named\&.conf
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
+\fBnamed-checkconf\fR(8),
 \fBrndc\fR(8),
-BIND 9 Administrator Reference Manual.
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2014 Internet Systems Consortium, Inc. ("ISC")
 .br
+Copyright \(co 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+.br
--- a/external/bsd/bind/dist/bin/named/named.conf.docbook	Thu May 26 15:45:39 2016 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.docbook	Thu May 26 16:49:55 2016 +0000
@@ -1,8 +1,5 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,9 +14,14 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<refentry>
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
+  <info>
+    <date>2014-01-08</date>
+  </info>
   <refentryinfo>
-    <date>January 08, 2014</date>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
   </refentryinfo>
 
   <refmeta>
@@ -46,18 +48,20 @@
       <year>2012</year>
       <year>2013</year>
       <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
 
   <refsynopsisdiv>
-    <cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
       <command>named.conf</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
-  <refsect1>
-    <title>DESCRIPTION</title>
+  <refsection><info><title>DESCRIPTION</title></info>
+
     <para><filename>named.conf</filename> is the configuration file
       for
       <command>named</command>.  Statements are enclosed
@@ -74,39 +78,39 @@
     <para>
       Unix style: # to end of line
     </para>
-  </refsect1>
+  </refsection>
 
-  <refsect1>
-    <title>ACL</title>
-    <literallayout>
+  <refsection><info><title>ACL</title></info>
+
+    <literallayout class="normal">
 acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
 
 </literallayout>
-  </refsect1>
+  </refsection>
 
-  <refsect1>
-    <title>KEY</title>
-    <literallayout>
+  <refsection><info><title>KEY</title></info>
+
+    <literallayout class="normal">
 key <replaceable>domain_name</replaceable> {
 	algorithm <replaceable>string</replaceable>;
 	secret <replaceable>string</replaceable>;
 };
 </literallayout>
-  </refsect1>
+  </refsection>
 
-  <refsect1>
-    <title>MASTERS</title>
-    <literallayout>
+  <refsection><info><title>MASTERS</title></info>
+
+    <literallayout class="normal">
 masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
 	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
 };
 </literallayout>
-  </refsect1>
+  </refsection>
 
-  <refsect1>
-    <title>SERVER</title>
-    <literallayout>