Apply patches (requested by spz in ticket #751): netbsd-6
authorriz <riz@NetBSD.org>
Sat, 15 Dec 2012 05:39:18 +0000
branchnetbsd-6
changeset 256446 593376b3bf23
parent 256445 344989f2994d
child 256447 289590b2a3d5
Apply patches (requested by spz in ticket #751): external/bsd/bind/bin/dnssec/Makefile patch external/bsd/bind/bin/dnssec/dnssec-verify/Makefile patch external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/Makefile.in patch external/bsd/bind/dist/README patch external/bsd/bind/dist/acconfig.h patch external/bsd/bind/dist/config.h.in patch external/bsd/bind/dist/configure patch external/bsd/bind/dist/configure.in patch external/bsd/bind/dist/isc-config.sh.in patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/Makefile.in patch external/bsd/bind/dist/bin/check/Makefile.in patch external/bsd/bind/dist/bin/check/check-tool.c patch external/bsd/bind/dist/bin/confgen/Makefile.in patch external/bsd/bind/dist/bin/confgen/unix/Makefile.in patch external/bsd/bind/dist/bin/dig/Makefile.in patch external/bsd/bind/dist/bin/dig/nslookup.c patch external/bsd/bind/dist/bin/dnssec/Makefile.in patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.c patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.html patch external/bsd/bind/dist/bin/dnssec/dnssectool.c patch external/bsd/bind/dist/bin/dnssec/dnssectool.h patch external/bsd/bind/dist/bin/named/Makefile.in patch external/bsd/bind/dist/bin/named/bindkeys.pl patch external/bsd/bind/dist/bin/named/builtin.c patch external/bsd/bind/dist/bin/named/client.c patch external/bsd/bind/dist/bin/named/config.c patch external/bsd/bind/dist/bin/named/controlconf.c patch external/bsd/bind/dist/bin/named/convertxsl.pl patch external/bsd/bind/dist/bin/named/query.c patch external/bsd/bind/dist/bin/named/server.c patch external/bsd/bind/dist/bin/named/statschannel.c patch external/bsd/bind/dist/bin/named/unix/Makefile.in patch external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/nsupdate/Makefile.in patch external/bsd/bind/dist/bin/nsupdate/nsupdate.c patch external/bsd/bind/dist/bin/pkcs11/Makefile.in patch external/bsd/bind/dist/bin/python/Makefile.in patch external/bsd/bind/dist/bin/python/dnssec-checkds.8 patch external/bsd/bind/dist/bin/python/dnssec-checkds.docbookpatch external/bsd/bind/dist/bin/python/dnssec-checkds.html patch external/bsd/bind/dist/bin/python/dnssec-checkds.py.in patch external/bsd/bind/dist/bin/rndc/Makefile.in patch external/bsd/bind/dist/bin/tests/Makefile.in patch external/bsd/bind/dist/bin/tests/b8t.mk patch external/bsd/bind/dist/bin/tests/b9t.mk patch external/bsd/bind/dist/bin/tests/headerdep_test.sh.in patch external/bsd/bind/dist/bin/tests/rbt_test.txt patch external/bsd/bind/dist/bin/tests/resolv.conf.sample patch external/bsd/bind/dist/bin/tests/t_api.pl patch external/bsd/bind/dist/bin/tests/atomic/Makefile.in patch external/bsd/bind/dist/bin/tests/db/Makefile.in patch external/bsd/bind/dist/bin/tests/dnssec-signzone/run-test.sh patch external/bsd/bind/dist/bin/tests/dst/Makefile.in patch external/bsd/bind/dist/bin/tests/dst/t_dst.c patch external/bsd/bind/dist/bin/tests/hashes/Makefile.in patch external/bsd/bind/dist/bin/tests/master/Makefile.in patch external/bsd/bind/dist/bin/tests/mem/Makefile.in patch external/bsd/bind/dist/bin/tests/names/Makefile.in patch external/bsd/bind/dist/bin/tests/names/t_names.c patch external/bsd/bind/dist/bin/tests/net/Makefile.in patch external/bsd/bind/dist/bin/tests/rbt/Makefile.in patch external/bsd/bind/dist/bin/tests/resolver/Makefile.in patch external/bsd/bind/dist/bin/tests/resolver/t_resolver.c patch external/bsd/bind/dist/bin/tests/sockaddr/Makefile.in patch external/bsd/bind/dist/bin/tests/startperf/clean.sh patch external/bsd/bind/dist/bin/tests/startperf/makenames.pl patch external/bsd/bind/dist/bin/tests/startperf/mkzonefile.plpatch external/bsd/bind/dist/bin/tests/startperf/setup.sh patch external/bsd/bind/dist/bin/tests/system/Makefile.in patch external/bsd/bind/dist/bin/tests/system/cleanall.sh patch external/bsd/bind/dist/bin/tests/system/cleanpkcs11.sh patch external/bsd/bind/dist/bin/tests/system/conf.sh.in patch external/bsd/bind/dist/bin/tests/system/digcomp.pl patch external/bsd/bind/dist/bin/tests/system/ifconfig.sh patch external/bsd/bind/dist/bin/tests/system/org.isc.bind.system patch external/bsd/bind/dist/bin/tests/system/packet.pl patch external/bsd/bind/dist/bin/tests/system/run.sh patch external/bsd/bind/dist/bin/tests/system/runall.sh patch external/bsd/bind/dist/bin/tests/system/send.pl patch external/bsd/bind/dist/bin/tests/system/setup.sh patch external/bsd/bind/dist/bin/tests/system/start.sh patch external/bsd/bind/dist/bin/tests/system/stop.pl patch external/bsd/bind/dist/bin/tests/system/stop.sh patch external/bsd/bind/dist/bin/tests/system/testsock.pl patch external/bsd/bind/dist/bin/tests/system/testsock6.pl patch external/bsd/bind/dist/bin/tests/system/acl/clean.sh patch external/bsd/bind/dist/bin/tests/system/acl/setup.sh patch external/bsd/bind/dist/bin/tests/system/acl/tests.sh patch external/bsd/bind/dist/bin/tests/system/addzone/clean.shpatch external/bsd/bind/dist/bin/tests/system/addzone/setup.shpatch external/bsd/bind/dist/bin/tests/system/addzone/tests.shpatch external/bsd/bind/dist/bin/tests/system/allow_query/clean.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/setup.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh patch external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/autosign/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh patch external/bsd/bind/dist/bin/tests/system/builtin/tests.shpatch external/bsd/bind/dist/bin/tests/system/cacheclean/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/good.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkds/clean.shpatch external/bsd/bind/dist/bin/tests/system/checkds/dig.sh patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checkds/none.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checkds/setup.shpatch external/bsd/bind/dist/bin/tests/system/checkds/tests.shpatch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checknames/clean.sh patch external/bsd/bind/dist/bin/tests/system/checknames/setup.sh patch external/bsd/bind/dist/bin/tests/system/checknames/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/database/clean.sh patch external/bsd/bind/dist/bin/tests/system/database/setup.sh patch external/bsd/bind/dist/bin/tests/system/database/tests.sh patch external/bsd/bind/dist/bin/tests/system/dialup/setup.sh patch external/bsd/bind/dist/bin/tests/system/dialup/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlv/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlv/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns6/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/clean.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/setup.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/tests.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlz/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlz/prereq.sh.inpatch external/bsd/bind/dist/bin/tests/system/dlz/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in patch external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/setup.sh patch external/bsd/bind/dist/bin/tests/system/dname/clean.sh patch external/bsd/bind/dist/bin/tests/system/dname/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/clean.sh patch external/bsd/bind/dist/bin/tests/system/dns64/setup.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/dnssec_update_test.pl patch external/bsd/bind/dist/bin/tests/system/dnssec/prereq.shpatch external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expired.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expiring.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/inline.example.db patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/lower.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/upper.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns4/named3.conf patch external/bsd/bind/dist/bin/tests/system/ecdsa/clean.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh.in patch external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/clean.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/forward/clean.shpatch external/bsd/bind/dist/bin/tests/system/forward/tests.shpatch external/bsd/bind/dist/bin/tests/system/glue/clean.sh patch external/bsd/bind/dist/bin/tests/system/glue/setup.sh patch external/bsd/bind/dist/bin/tests/system/glue/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/clean.sh patch external/bsd/bind/dist/bin/tests/system/gost/prereq.sh.in patch external/bsd/bind/dist/bin/tests/system/gost/setup.sh patch external/bsd/bind/dist/bin/tests/system/gost/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/ns1/sign.shpatch external/bsd/bind/dist/bin/tests/system/ixfr/prereq.sh patch external/bsd/bind/dist/bin/tests/system/limits/clean.sh patch external/bsd/bind/dist/bin/tests/system/limits/tests.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/Makefile.in patch external/bsd/bind/dist/bin/tests/system/lwresd/resolv.conf patch external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/resolv.conf patch external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh patch external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh patch external/bsd/bind/dist/bin/tests/system/metadata/clean.sh patch external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh patch external/bsd/bind/dist/bin/tests/system/metadata/setup.sh patch external/bsd/bind/dist/bin/tests/system/metadata/tests.sh patch external/bsd/bind/dist/bin/tests/system/notify/clean.sh patch external/bsd/bind/dist/bin/tests/system/notify/setup.sh patch external/bsd/bind/dist/bin/tests/system/notify/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/commandlist patch external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/update_test.pl patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/clean.shpatch external/bsd/bind/dist/bin/tests/system/pending/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pending/setup.shpatch external/bsd/bind/dist/bin/tests/system/pending/tests.shpatch external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/clean.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.shpatch external/bsd/bind/dist/bin/tests/system/pkcs11/setup.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/clean.sh patch external/bsd/bind/dist/bin/tests/system/redirect/setup.sh patch external/bsd/bind/dist/bin/tests/system/redirect/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ans2/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ans3/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh patch external/bsd/bind/dist/bin/tests/system/rndc/clean.sh patch external/bsd/bind/dist/bin/tests/system/rndc/setup.sh patch external/bsd/bind/dist/bin/tests/system/rndc/tests.sh patch external/bsd/bind/dist/bin/tests/system/rndc/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rndc/ns2/secondkey.conf patch external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rpz/clean.sh patch external/bsd/bind/dist/bin/tests/system/rpz/qperf.sh patch external/bsd/bind/dist/bin/tests/system/rpz/rpz.c patch external/bsd/bind/dist/bin/tests/system/rpz/setup.sh patch external/bsd/bind/dist/bin/tests/system/rpz/test1 patch external/bsd/bind/dist/bin/tests/system/rpz/test2 patch external/bsd/bind/dist/bin/tests/system/rpz/test5 patch external/bsd/bind/dist/bin/tests/system/rpz/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/root.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/base-tld2s.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/tld2.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash2 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/tld4.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rrsetorder/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad01.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad02.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad03.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good01.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good02.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good03.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/dsset-example.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.bad patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/smartsign/clean.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh patch external/bsd/bind/dist/bin/tests/system/sortlist/clean.sh patch external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/stress/clean.sh patch external/bsd/bind/dist/bin/tests/system/stress/setup.pl patch external/bsd/bind/dist/bin/tests/system/stress/setup.sh patch external/bsd/bind/dist/bin/tests/system/stress/tests.sh patch external/bsd/bind/dist/bin/tests/system/stress/update.plpatch external/bsd/bind/dist/bin/tests/system/stub/clean.sh patch external/bsd/bind/dist/bin/tests/system/stub/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/Makefile.inpatch external/bsd/bind/dist/bin/tests/system/tkey/clean.sh patch external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tkey/setup.sh patch external/bsd/bind/dist/bin/tests/system/tkey/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsig/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsig/tests.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in patch external/bsd/bind/dist/bin/tests/system/tsiggss/authsock.pl patch external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/setup.shpatch external/bsd/bind/dist/bin/tests/system/unknown/clean.shpatch external/bsd/bind/dist/bin/tests/system/unknown/setup.shpatch external/bsd/bind/dist/bin/tests/system/unknown/tests.shpatch external/bsd/bind/dist/bin/tests/system/unknown/ns1/example-in.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns1/large.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/clean.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/setup.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/tests.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/ans4/ans.pl patch external/bsd/bind/dist/bin/tests/system/v6synth/clean.shpatch external/bsd/bind/dist/bin/tests/system/v6synth/tests.shpatch external/bsd/bind/dist/bin/tests/system/verify/clean.sh patch external/bsd/bind/dist/bin/tests/system/verify/setup.sh patch external/bsd/bind/dist/bin/tests/system/verify/tests.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/genzones.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db patch external/bsd/bind/dist/bin/tests/system/views/clean.sh patch external/bsd/bind/dist/bin/tests/system/views/setup.sh patch external/bsd/bind/dist/bin/tests/system/views/tests.sh patch external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh patch external/bsd/bind/dist/bin/tests/system/xfer/setup.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/clean.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/setup.pl patch external/bsd/bind/dist/bin/tests/system/xferquota/setup.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh patch external/bsd/bind/dist/bin/tests/tasks/Makefile.in patch external/bsd/bind/dist/bin/tests/timers/Makefile.in patch external/bsd/bind/dist/bin/tests/virtual-time/Makefile.in patch external/bsd/bind/dist/bin/tests/virtual-time/cleanall.sh patch external/bsd/bind/dist/bin/tests/virtual-time/conf.sh.inpatch external/bsd/bind/dist/bin/tests/virtual-time/run.sh patch external/bsd/bind/dist/bin/tests/virtual-time/runall.sh patch external/bsd/bind/dist/bin/tests/virtual-time/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/start.pl patch external/bsd/bind/dist/bin/tests/virtual-time/start.sh patch external/bsd/bind/dist/bin/tests/virtual-time/stop.pl patch external/bsd/bind/dist/bin/tests/virtual-time/stop.sh patch external/bsd/bind/dist/bin/tests/virtual-time/testsock.pl patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/ns1/wrap.sh patch external/bsd/bind/dist/bin/tools/Makefile.in patch external/bsd/bind/dist/contrib/check-secure-delegation.pl.in patch external/bsd/bind/dist/contrib/zone-edit.sh.in patch external/bsd/bind/dist/contrib/dlz/bin/dlzbdb/Makefile.in patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_dlopen_driver.c patch external/bsd/bind/dist/contrib/named-bootconf/named-bootconf.sh patch external/bsd/bind/dist/contrib/nanny/nanny.pl patch external/bsd/bind/dist/contrib/sdb/tcl/lookup.tcl patch external/bsd/bind/dist/contrib/zkt/doc/rfc5011.txt patch external/bsd/bind/dist/doc/Makefile.in patch external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/Makefile.in patch external/bsd/bind/dist/doc/arm/latex-fixup.pl patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.htmlpatch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/doc/doxygen/Makefile.in patch external/bsd/bind/dist/doc/doxygen/doxygen-input-filter.in patch external/bsd/bind/dist/doc/misc/Makefile.in patch external/bsd/bind/dist/doc/misc/format-options.pl patch external/bsd/bind/dist/doc/misc/options patch external/bsd/bind/dist/doc/misc/sort-options.pl patch external/bsd/bind/dist/doc/xsl/Makefile.in patch external/bsd/bind/dist/lib/Makefile.in patch external/bsd/bind/dist/lib/bind9/Makefile.in patch external/bsd/bind/dist/lib/bind9/api patch external/bsd/bind/dist/lib/bind9/check.c patch external/bsd/bind/dist/lib/bind9/include/Makefile.in patch external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in patch external/bsd/bind/dist/lib/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/adb.c patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/db.c patch external/bsd/bind/dist/lib/dns/dnssec.c patch external/bsd/bind/dist/lib/dns/ds.c patch external/bsd/bind/dist/lib/dns/dst_api.c patch external/bsd/bind/dist/lib/dns/dst_internal.h patch external/bsd/bind/dist/lib/dns/dst_openssl.h patch external/bsd/bind/dist/lib/dns/dst_parse.c patch external/bsd/bind/dist/lib/dns/dst_parse.h patch external/bsd/bind/dist/lib/dns/dst_result.c patch external/bsd/bind/dist/lib/dns/gssapi_link.c patch external/bsd/bind/dist/lib/dns/hmac_link.c patch external/bsd/bind/dist/lib/dns/log.c patch external/bsd/bind/dist/lib/dns/master.c patch external/bsd/bind/dist/lib/dns/masterdump.c patch external/bsd/bind/dist/lib/dns/nsec.c patch external/bsd/bind/dist/lib/dns/nsec3.c patch external/bsd/bind/dist/lib/dns/openssl_link.c patch external/bsd/bind/dist/lib/dns/openssldh_link.c patch external/bsd/bind/dist/lib/dns/openssldsa_link.c patch external/bsd/bind/dist/lib/dns/opensslecdsa_link.c patch external/bsd/bind/dist/lib/dns/opensslgost_link.c patch external/bsd/bind/dist/lib/dns/opensslrsa_link.c patch external/bsd/bind/dist/lib/dns/rbtdb.c patch external/bsd/bind/dist/lib/dns/rcode.c patch external/bsd/bind/dist/lib/dns/rdata.c patch external/bsd/bind/dist/lib/dns/rdataset.c patch external/bsd/bind/dist/lib/dns/resolver.c patch external/bsd/bind/dist/lib/dns/rpz.c patch external/bsd/bind/dist/lib/dns/spnego_asn1.pl patch external/bsd/bind/dist/lib/dns/update.c patch external/bsd/bind/dist/lib/dns/validator.c patch external/bsd/bind/dist/lib/dns/view.c patch external/bsd/bind/dist/lib/dns/zone.c patch external/bsd/bind/dist/lib/dns/zt.c patch external/bsd/bind/dist/lib/dns/include/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/db.h patch external/bsd/bind/dist/lib/dns/include/dns/dnssec.h patch external/bsd/bind/dist/lib/dns/include/dns/ds.h patch external/bsd/bind/dist/lib/dns/include/dns/iptable.h patch external/bsd/bind/dist/lib/dns/include/dns/keyvalues.h patch external/bsd/bind/dist/lib/dns/include/dns/log.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec.h patch external/bsd/bind/dist/lib/dns/include/dns/private.h patch external/bsd/bind/dist/lib/dns/include/dns/rdata.h patch external/bsd/bind/dist/lib/dns/include/dns/rdataset.h patch external/bsd/bind/dist/lib/dns/include/dns/rpz.h patch external/bsd/bind/dist/lib/dns/include/dns/stats.h patch external/bsd/bind/dist/lib/dns/include/dns/view.h patch external/bsd/bind/dist/lib/dns/include/dns/zone.h patch external/bsd/bind/dist/lib/dns/include/dst/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dst/dst.h patch external/bsd/bind/dist/lib/dns/include/dst/result.h patch external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.cpatch external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c patch external/bsd/bind/dist/lib/dns/tests/Makefile.in patch external/bsd/bind/dist/lib/dns/tests/dnstest.h patch external/bsd/bind/dist/lib/dns/tests/rdataset_test.c patch external/bsd/bind/dist/lib/dns/tests/zt_test.c patch external/bsd/bind/dist/lib/dns/win32/libdns.def patch external/bsd/bind/dist/lib/export/Makefile.in patch external/bsd/bind/dist/lib/export/dns/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/dst/Makefile.in patch external/bsd/bind/dist/lib/export/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/export/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/export/samples/Makefile-postinstall.in patch external/bsd/bind/dist/lib/export/samples/Makefile.in patch external/bsd/bind/dist/lib/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/include/Makefile.in patch external/bsd/bind/dist/lib/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/isc/api patch external/bsd/bind/dist/lib/isc/mem.c patch external/bsd/bind/dist/lib/isc/task.c patch external/bsd/bind/dist/lib/isc/task_api.c patch external/bsd/bind/dist/lib/isc/alpha/Makefile.in patch external/bsd/bind/dist/lib/isc/alpha/include/Makefile.inpatch external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/isc/atomic.hpatch external/bsd/bind/dist/lib/isc/include/Makefile.in patch external/bsd/bind/dist/lib/isc/include/isc/file.h patch external/bsd/bind/dist/lib/isc/include/isc/heap.h patch external/bsd/bind/dist/lib/isc/include/isc/list.h patch external/bsd/bind/dist/lib/isc/include/isc/namespace.h patch external/bsd/bind/dist/lib/isc/include/isc/queue.h patch external/bsd/bind/dist/lib/isc/include/isc/task.h patch external/bsd/bind/dist/lib/isc/mips/Makefile.in patch external/bsd/bind/dist/lib/isc/mips/include/Makefile.in patch external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/include/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/include/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/condition.c patch external/bsd/bind/dist/lib/isc/pthreads/include/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/tests/isctest.c patch external/bsd/bind/dist/lib/isc/tests/isctest.h patch external/bsd/bind/dist/lib/isc/tests/queue_test.c patch external/bsd/bind/dist/lib/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/file.c patch external/bsd/bind/dist/lib/isc/unix/include/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/file.c patch external/bsd/bind/dist/lib/isc/win32/libisc.def patch external/bsd/bind/dist/lib/isc/win32/include/Makefile.inpatch external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/include/isc/stat.h patch external/bsd/bind/dist/lib/isc/x86_32/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_32/include/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isccc/api patch external/bsd/bind/dist/lib/isccc/cc.c patch external/bsd/bind/dist/lib/isccc/include/Makefile.in patch external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in patch external/bsd/bind/dist/lib/isccfg/api patch external/bsd/bind/dist/lib/isccfg/namedconf.c patch external/bsd/bind/dist/lib/isccfg/include/Makefile.in patch external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/api patch external/bsd/bind/dist/lib/lwres/getaddrinfo.c patch external/bsd/bind/dist/lib/lwres/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/man/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/tests/Makefile.in patch external/bsd/bind/dist/lib/tests/include/Makefile.in patch external/bsd/bind/dist/lib/tests/include/tests/Makefile.in patch external/bsd/bind/dist/make/Makefile.in patch external/bsd/bind/dist/make/includes.in patch external/bsd/bind/dist/make/rules.in patch external/bsd/bind/dist/unit/atf-src/atf-c/macros.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text_test.c patch external/bsd/bind/include/config.h patch external/bsd/bind/lib/libbind9/shlib_version patch external/bsd/bind/lib/libdns/Makefile patch external/bsd/bind/lib/libdns/shlib_version patch external/bsd/bind/lib/libisc/shlib_version patch external/bsd/bind/lib/libisccc/shlib_version patch external/bsd/bind/lib/libisccfg/shlib_version patch external/bsd/bind/lib/liblwres/shlib_version patch distrib/sets/lists/base/ad.mips64eb patch distrib/sets/lists/base/ad.mips64el patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/man/mi patch Update bind to version 9.9.2-P1, addressing CVE-2012-5688. [spz, ticket #751]
distrib/sets/lists/base/ad.mips64eb
distrib/sets/lists/base/ad.mips64el
distrib/sets/lists/base/md.amd64
distrib/sets/lists/base/md.sparc64
distrib/sets/lists/base/mi
distrib/sets/lists/base/shl.mi
distrib/sets/lists/man/mi
external/bsd/bind/bin/dnssec/Makefile
external/bsd/bind/bin/dnssec/dnssec-verify/Makefile
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/Makefile.in
external/bsd/bind/dist/README
external/bsd/bind/dist/acconfig.h
external/bsd/bind/dist/bin/Makefile.in
external/bsd/bind/dist/bin/check/Makefile.in
external/bsd/bind/dist/bin/check/check-tool.c
external/bsd/bind/dist/bin/confgen/Makefile.in
external/bsd/bind/dist/bin/confgen/unix/Makefile.in
external/bsd/bind/dist/bin/dig/Makefile.in
external/bsd/bind/dist/bin/dig/nslookup.c
external/bsd/bind/dist/bin/dnssec/Makefile.in
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.8
external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-verify.html
external/bsd/bind/dist/bin/dnssec/dnssectool.c
external/bsd/bind/dist/bin/dnssec/dnssectool.h
external/bsd/bind/dist/bin/named/Makefile.in
external/bsd/bind/dist/bin/named/bindkeys.pl
external/bsd/bind/dist/bin/named/builtin.c
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/config.c
external/bsd/bind/dist/bin/named/controlconf.c
external/bsd/bind/dist/bin/named/convertxsl.pl
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/statschannel.c
external/bsd/bind/dist/bin/named/unix/Makefile.in
external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c
external/bsd/bind/dist/bin/nsupdate/Makefile.in
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/Makefile.in
external/bsd/bind/dist/bin/python/Makefile.in
external/bsd/bind/dist/bin/python/dnssec-checkds.8
external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
external/bsd/bind/dist/bin/python/dnssec-checkds.html
external/bsd/bind/dist/bin/python/dnssec-checkds.py.in
external/bsd/bind/dist/bin/rndc/Makefile.in
external/bsd/bind/dist/bin/tests/Makefile.in
external/bsd/bind/dist/bin/tests/atomic/Makefile.in
external/bsd/bind/dist/bin/tests/b8t.mk
external/bsd/bind/dist/bin/tests/b9t.mk
external/bsd/bind/dist/bin/tests/db/Makefile.in
external/bsd/bind/dist/bin/tests/dnssec-signzone/run-test.sh
external/bsd/bind/dist/bin/tests/dst/Makefile.in
external/bsd/bind/dist/bin/tests/dst/t_dst.c
external/bsd/bind/dist/bin/tests/hashes/Makefile.in
external/bsd/bind/dist/bin/tests/headerdep_test.sh.in
external/bsd/bind/dist/bin/tests/master/Makefile.in
external/bsd/bind/dist/bin/tests/mem/Makefile.in
external/bsd/bind/dist/bin/tests/names/Makefile.in
external/bsd/bind/dist/bin/tests/names/t_names.c
external/bsd/bind/dist/bin/tests/net/Makefile.in
external/bsd/bind/dist/bin/tests/rbt/Makefile.in
external/bsd/bind/dist/bin/tests/rbt_test.txt
external/bsd/bind/dist/bin/tests/resolv.conf.sample
external/bsd/bind/dist/bin/tests/resolver/Makefile.in
external/bsd/bind/dist/bin/tests/resolver/t_resolver.c
external/bsd/bind/dist/bin/tests/sockaddr/Makefile.in
external/bsd/bind/dist/bin/tests/startperf/clean.sh
external/bsd/bind/dist/bin/tests/startperf/makenames.pl
external/bsd/bind/dist/bin/tests/startperf/mkzonefile.pl
external/bsd/bind/dist/bin/tests/startperf/setup.sh
external/bsd/bind/dist/bin/tests/system/Makefile.in
external/bsd/bind/dist/bin/tests/system/acl/clean.sh
external/bsd/bind/dist/bin/tests/system/acl/setup.sh
external/bsd/bind/dist/bin/tests/system/acl/tests.sh
external/bsd/bind/dist/bin/tests/system/addzone/clean.sh
external/bsd/bind/dist/bin/tests/system/addzone/setup.sh
external/bsd/bind/dist/bin/tests/system/addzone/tests.sh
external/bsd/bind/dist/bin/tests/system/allow_query/clean.sh
external/bsd/bind/dist/bin/tests/system/allow_query/setup.sh
external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh
external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh
external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh
external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh
external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh
external/bsd/bind/dist/bin/tests/system/autosign/setup.sh
external/bsd/bind/dist/bin/tests/system/builtin/tests.sh
external/bsd/bind/dist/bin/tests/system/cacheclean/clean.sh
external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf
external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh
external/bsd/bind/dist/bin/tests/system/checkconf/good.conf
external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh
external/bsd/bind/dist/bin/tests/system/checkds/clean.sh
external/bsd/bind/dist/bin/tests/system/checkds/dig.sh
external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db
external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dnskey.db
external/bsd/bind/dist/bin/tests/system/checkds/missing.example.ds.db
external/bsd/bind/dist/bin/tests/system/checkds/none.example.dnskey.db
external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dlv.example.dlv.db
external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dnskey.db
external/bsd/bind/dist/bin/tests/system/checkds/ok.example.ds.db
external/bsd/bind/dist/bin/tests/system/checkds/setup.sh
external/bsd/bind/dist/bin/tests/system/checkds/tests.sh
external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db
external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dnskey.db
external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.ds.db
external/bsd/bind/dist/bin/tests/system/checknames/clean.sh
external/bsd/bind/dist/bin/tests/system/checknames/setup.sh
external/bsd/bind/dist/bin/tests/system/checknames/tests.sh
external/bsd/bind/dist/bin/tests/system/checkzone/clean.sh
external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh
external/bsd/bind/dist/bin/tests/system/cleanall.sh
external/bsd/bind/dist/bin/tests/system/cleanpkcs11.sh
external/bsd/bind/dist/bin/tests/system/conf.sh.in
external/bsd/bind/dist/bin/tests/system/database/clean.sh
external/bsd/bind/dist/bin/tests/system/database/setup.sh
external/bsd/bind/dist/bin/tests/system/database/tests.sh
external/bsd/bind/dist/bin/tests/system/dialup/setup.sh
external/bsd/bind/dist/bin/tests/system/dialup/tests.sh
external/bsd/bind/dist/bin/tests/system/digcomp.pl
external/bsd/bind/dist/bin/tests/system/dlv/clean.sh
external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh
external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/dlv/ns6/sign.sh
external/bsd/bind/dist/bin/tests/system/dlv/setup.sh
external/bsd/bind/dist/bin/tests/system/dlv/tests.sh
external/bsd/bind/dist/bin/tests/system/dlvauto/clean.sh
external/bsd/bind/dist/bin/tests/system/dlvauto/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/dlvauto/setup.sh
external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh
external/bsd/bind/dist/bin/tests/system/dlz/clean.sh
external/bsd/bind/dist/bin/tests/system/dlz/prereq.sh.in
external/bsd/bind/dist/bin/tests/system/dlz/tests.sh
external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in
external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh
external/bsd/bind/dist/bin/tests/system/dlzexternal/setup.sh
external/bsd/bind/dist/bin/tests/system/dname/clean.sh
external/bsd/bind/dist/bin/tests/system/dname/tests.sh
external/bsd/bind/dist/bin/tests/system/dns64/clean.sh
external/bsd/bind/dist/bin/tests/system/dns64/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/dns64/setup.sh
external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh
external/bsd/bind/dist/bin/tests/system/dnssec/dnssec_update_test.pl
external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expired.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expiring.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/inline.example.db
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/lower.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/upper.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns4/named3.conf
external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh
external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh
external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh
external/bsd/bind/dist/bin/tests/system/ecdsa/clean.sh
external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/named.conf
external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/root.db.in
external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/ecdsa/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh.in
external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh
external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh
external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in
external/bsd/bind/dist/bin/tests/system/filter-aaaa/clean.sh
external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/sign.sh
external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh
external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh
external/bsd/bind/dist/bin/tests/system/forward/clean.sh
external/bsd/bind/dist/bin/tests/system/forward/tests.sh
external/bsd/bind/dist/bin/tests/system/glue/clean.sh
external/bsd/bind/dist/bin/tests/system/glue/setup.sh
external/bsd/bind/dist/bin/tests/system/glue/tests.sh
external/bsd/bind/dist/bin/tests/system/gost/clean.sh
external/bsd/bind/dist/bin/tests/system/gost/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/gost/prereq.sh.in
external/bsd/bind/dist/bin/tests/system/gost/setup.sh
external/bsd/bind/dist/bin/tests/system/gost/tests.sh
external/bsd/bind/dist/bin/tests/system/ifconfig.sh
external/bsd/bind/dist/bin/tests/system/ixfr/prereq.sh
external/bsd/bind/dist/bin/tests/system/limits/clean.sh
external/bsd/bind/dist/bin/tests/system/limits/tests.sh
external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh
external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh
external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh
external/bsd/bind/dist/bin/tests/system/lwresd/Makefile.in
external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/resolv.conf
external/bsd/bind/dist/bin/tests/system/lwresd/resolv.conf
external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh
external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh
external/bsd/bind/dist/bin/tests/system/metadata/clean.sh
external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh
external/bsd/bind/dist/bin/tests/system/metadata/setup.sh
external/bsd/bind/dist/bin/tests/system/metadata/tests.sh
external/bsd/bind/dist/bin/tests/system/notify/clean.sh
external/bsd/bind/dist/bin/tests/system/notify/setup.sh
external/bsd/bind/dist/bin/tests/system/notify/tests.sh
external/bsd/bind/dist/bin/tests/system/nsupdate/commandlist
external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh
external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh
external/bsd/bind/dist/bin/tests/system/nsupdate/update_test.pl
external/bsd/bind/dist/bin/tests/system/org.isc.bind.system
external/bsd/bind/dist/bin/tests/system/packet.pl
external/bsd/bind/dist/bin/tests/system/pending/clean.sh
external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/pending/ns2/sign.sh
external/bsd/bind/dist/bin/tests/system/pending/prereq.sh
external/bsd/bind/dist/bin/tests/system/pending/setup.sh
external/bsd/bind/dist/bin/tests/system/pending/tests.sh
external/bsd/bind/dist/bin/tests/system/pkcs11/clean.sh
external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.sh
external/bsd/bind/dist/bin/tests/system/pkcs11/setup.sh
external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh
external/bsd/bind/dist/bin/tests/system/redirect/clean.sh
external/bsd/bind/dist/bin/tests/system/redirect/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/redirect/setup.sh
external/bsd/bind/dist/bin/tests/system/redirect/tests.sh
external/bsd/bind/dist/bin/tests/system/resolver/ans2/ans.pl
external/bsd/bind/dist/bin/tests/system/resolver/ans3/ans.pl
external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh
external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh
external/bsd/bind/dist/bin/tests/system/rndc/clean.sh
external/bsd/bind/dist/bin/tests/system/rndc/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/rndc/ns2/secondkey.conf
external/bsd/bind/dist/bin/tests/system/rndc/setup.sh
external/bsd/bind/dist/bin/tests/system/rndc/tests.sh
external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in
external/bsd/bind/dist/bin/tests/system/rpz/clean.sh
external/bsd/bind/dist/bin/tests/system/rpz/ns1/root.db
external/bsd/bind/dist/bin/tests/system/rpz/ns2/base-tld2s.db
external/bsd/bind/dist/bin/tests/system/rpz/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/rpz/ns2/tld2.db
external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db
external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash2
external/bsd/bind/dist/bin/tests/system/rpz/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/rpz/ns4/named.conf
external/bsd/bind/dist/bin/tests/system/rpz/ns4/tld4.db
external/bsd/bind/dist/bin/tests/system/rpz/ns5/hints
external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf
external/bsd/bind/dist/bin/tests/system/rpz/qperf.sh
external/bsd/bind/dist/bin/tests/system/rpz/rpz.c
external/bsd/bind/dist/bin/tests/system/rpz/setup.sh
external/bsd/bind/dist/bin/tests/system/rpz/test1
external/bsd/bind/dist/bin/tests/system/rpz/test2
external/bsd/bind/dist/bin/tests/system/rpz/test5
external/bsd/bind/dist/bin/tests/system/rpz/tests.sh
external/bsd/bind/dist/bin/tests/system/rrsetorder/clean.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in
external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c
external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad01.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad02.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad03.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good01.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good02.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good03.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/named.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/root.db.in
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/dsset-example.in
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.bad
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.in
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/sign.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh
external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh
external/bsd/bind/dist/bin/tests/system/run.sh
external/bsd/bind/dist/bin/tests/system/runall.sh
external/bsd/bind/dist/bin/tests/system/send.pl
external/bsd/bind/dist/bin/tests/system/setup.sh
external/bsd/bind/dist/bin/tests/system/smartsign/clean.sh
external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh
external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh
external/bsd/bind/dist/bin/tests/system/sortlist/clean.sh
external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh
external/bsd/bind/dist/bin/tests/system/start.sh
external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh
external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/staticstub/ns4/sign.sh
external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh
external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh
external/bsd/bind/dist/bin/tests/system/stop.pl
external/bsd/bind/dist/bin/tests/system/stop.sh
external/bsd/bind/dist/bin/tests/system/stress/clean.sh
external/bsd/bind/dist/bin/tests/system/stress/setup.pl
external/bsd/bind/dist/bin/tests/system/stress/setup.sh
external/bsd/bind/dist/bin/tests/system/stress/tests.sh
external/bsd/bind/dist/bin/tests/system/stress/update.pl
external/bsd/bind/dist/bin/tests/system/stub/clean.sh
external/bsd/bind/dist/bin/tests/system/stub/tests.sh
external/bsd/bind/dist/bin/tests/system/testsock.pl
external/bsd/bind/dist/bin/tests/system/testsock6.pl
external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in
external/bsd/bind/dist/bin/tests/system/tkey/clean.sh
external/bsd/bind/dist/bin/tests/system/tkey/ns1/setup.sh
external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh
external/bsd/bind/dist/bin/tests/system/tkey/setup.sh
external/bsd/bind/dist/bin/tests/system/tkey/tests.sh
external/bsd/bind/dist/bin/tests/system/tsig/clean.sh
external/bsd/bind/dist/bin/tests/system/tsig/tests.sh
external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in
external/bsd/bind/dist/bin/tests/system/tsiggss/authsock.pl
external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh
external/bsd/bind/dist/bin/tests/system/tsiggss/setup.sh
external/bsd/bind/dist/bin/tests/system/unknown/clean.sh
external/bsd/bind/dist/bin/tests/system/unknown/ns1/example-in.db
external/bsd/bind/dist/bin/tests/system/unknown/ns1/large.db
external/bsd/bind/dist/bin/tests/system/unknown/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/unknown/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/unknown/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/unknown/setup.sh
external/bsd/bind/dist/bin/tests/system/unknown/tests.sh
external/bsd/bind/dist/bin/tests/system/upforwd/ans4/ans.pl
external/bsd/bind/dist/bin/tests/system/upforwd/clean.sh
external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh
external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh
external/bsd/bind/dist/bin/tests/system/v6synth/clean.sh
external/bsd/bind/dist/bin/tests/system/v6synth/tests.sh
external/bsd/bind/dist/bin/tests/system/verify/clean.sh
external/bsd/bind/dist/bin/tests/system/verify/setup.sh
external/bsd/bind/dist/bin/tests/system/verify/tests.sh
external/bsd/bind/dist/bin/tests/system/verify/zones/genzones.sh
external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db
external/bsd/bind/dist/bin/tests/system/views/clean.sh
external/bsd/bind/dist/bin/tests/system/views/setup.sh
external/bsd/bind/dist/bin/tests/system/views/tests.sh
external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh
external/bsd/bind/dist/bin/tests/system/xfer/setup.sh
external/bsd/bind/dist/bin/tests/system/xferquota/clean.sh
external/bsd/bind/dist/bin/tests/system/xferquota/setup.pl
external/bsd/bind/dist/bin/tests/system/xferquota/setup.sh
external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh
external/bsd/bind/dist/bin/tests/t_api.pl
external/bsd/bind/dist/bin/tests/tasks/Makefile.in
external/bsd/bind/dist/bin/tests/timers/Makefile.in
external/bsd/bind/dist/bin/tests/virtual-time/Makefile.in
external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/clean.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/setup.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/tests.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/clean.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/setup.sh
external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/tests.sh
external/bsd/bind/dist/bin/tests/virtual-time/cleanall.sh
external/bsd/bind/dist/bin/tests/virtual-time/conf.sh.in
external/bsd/bind/dist/bin/tests/virtual-time/run.sh
external/bsd/bind/dist/bin/tests/virtual-time/runall.sh
external/bsd/bind/dist/bin/tests/virtual-time/setup.sh
external/bsd/bind/dist/bin/tests/virtual-time/slave/clean.sh
external/bsd/bind/dist/bin/tests/virtual-time/slave/ns1/wrap.sh
external/bsd/bind/dist/bin/tests/virtual-time/slave/setup.sh
external/bsd/bind/dist/bin/tests/virtual-time/slave/tests.sh
external/bsd/bind/dist/bin/tests/virtual-time/start.pl
external/bsd/bind/dist/bin/tests/virtual-time/start.sh
external/bsd/bind/dist/bin/tests/virtual-time/stop.pl
external/bsd/bind/dist/bin/tests/virtual-time/stop.sh
external/bsd/bind/dist/bin/tests/virtual-time/testsock.pl
external/bsd/bind/dist/bin/tools/Makefile.in
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/configure
external/bsd/bind/dist/configure.in
external/bsd/bind/dist/contrib/check-secure-delegation.pl.in
external/bsd/bind/dist/contrib/dlz/bin/dlzbdb/Makefile.in
external/bsd/bind/dist/contrib/dlz/drivers/dlz_dlopen_driver.c
external/bsd/bind/dist/contrib/named-bootconf/named-bootconf.sh
external/bsd/bind/dist/contrib/nanny/nanny.pl
external/bsd/bind/dist/contrib/sdb/tcl/lookup.tcl
external/bsd/bind/dist/contrib/zkt/doc/rfc5011.txt
external/bsd/bind/dist/contrib/zone-edit.sh.in
external/bsd/bind/dist/doc/Makefile.in
external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml
external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Makefile.in
external/bsd/bind/dist/doc/arm/latex-fixup.pl
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/doc/doxygen/Makefile.in
external/bsd/bind/dist/doc/doxygen/doxygen-input-filter.in
external/bsd/bind/dist/doc/misc/Makefile.in
external/bsd/bind/dist/doc/misc/format-options.pl
external/bsd/bind/dist/doc/misc/options
external/bsd/bind/dist/doc/misc/sort-options.pl
external/bsd/bind/dist/doc/xsl/Makefile.in
external/bsd/bind/dist/isc-config.sh.in
external/bsd/bind/dist/lib/Makefile.in
external/bsd/bind/dist/lib/bind9/Makefile.in
external/bsd/bind/dist/lib/bind9/api
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/bind9/include/Makefile.in
external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in
external/bsd/bind/dist/lib/dns/Makefile.in
external/bsd/bind/dist/lib/dns/adb.c
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/db.c
external/bsd/bind/dist/lib/dns/dnssec.c
external/bsd/bind/dist/lib/dns/ds.c
external/bsd/bind/dist/lib/dns/dst_api.c
external/bsd/bind/dist/lib/dns/dst_internal.h
external/bsd/bind/dist/lib/dns/dst_openssl.h
external/bsd/bind/dist/lib/dns/dst_parse.c
external/bsd/bind/dist/lib/dns/dst_parse.h
external/bsd/bind/dist/lib/dns/dst_result.c
external/bsd/bind/dist/lib/dns/gssapi_link.c
external/bsd/bind/dist/lib/dns/hmac_link.c
external/bsd/bind/dist/lib/dns/include/Makefile.in
external/bsd/bind/dist/lib/dns/include/dns/Makefile.in
external/bsd/bind/dist/lib/dns/include/dns/db.h
external/bsd/bind/dist/lib/dns/include/dns/dnssec.h
external/bsd/bind/dist/lib/dns/include/dns/ds.h
external/bsd/bind/dist/lib/dns/include/dns/iptable.h
external/bsd/bind/dist/lib/dns/include/dns/keyvalues.h
external/bsd/bind/dist/lib/dns/include/dns/log.h
external/bsd/bind/dist/lib/dns/include/dns/nsec.h
external/bsd/bind/dist/lib/dns/include/dns/private.h
external/bsd/bind/dist/lib/dns/include/dns/rdata.h
external/bsd/bind/dist/lib/dns/include/dns/rdataset.h
external/bsd/bind/dist/lib/dns/include/dns/rpz.h
external/bsd/bind/dist/lib/dns/include/dns/stats.h
external/bsd/bind/dist/lib/dns/include/dns/view.h
external/bsd/bind/dist/lib/dns/include/dns/zone.h
external/bsd/bind/dist/lib/dns/include/dst/Makefile.in
external/bsd/bind/dist/lib/dns/include/dst/dst.h
external/bsd/bind/dist/lib/dns/include/dst/result.h
external/bsd/bind/dist/lib/dns/log.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/masterdump.c
external/bsd/bind/dist/lib/dns/nsec.c
external/bsd/bind/dist/lib/dns/nsec3.c
external/bsd/bind/dist/lib/dns/openssl_link.c
external/bsd/bind/dist/lib/dns/openssldh_link.c
external/bsd/bind/dist/lib/dns/openssldsa_link.c
external/bsd/bind/dist/lib/dns/opensslecdsa_link.c
external/bsd/bind/dist/lib/dns/opensslgost_link.c
external/bsd/bind/dist/lib/dns/opensslrsa_link.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rcode.c
external/bsd/bind/dist/lib/dns/rdata.c
external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c
external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c
external/bsd/bind/dist/lib/dns/rdataset.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/rpz.c
external/bsd/bind/dist/lib/dns/spnego_asn1.pl
external/bsd/bind/dist/lib/dns/tests/Makefile.in
external/bsd/bind/dist/lib/dns/tests/dnstest.h
external/bsd/bind/dist/lib/dns/tests/rdataset_test.c
external/bsd/bind/dist/lib/dns/tests/zt_test.c
external/bsd/bind/dist/lib/dns/update.c
external/bsd/bind/dist/lib/dns/validator.c
external/bsd/bind/dist/lib/dns/view.c
external/bsd/bind/dist/lib/dns/win32/libdns.def
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/dns/zt.c
external/bsd/bind/dist/lib/export/Makefile.in
external/bsd/bind/dist/lib/export/dns/Makefile.in
external/bsd/bind/dist/lib/export/dns/include/Makefile.in
external/bsd/bind/dist/lib/export/dns/include/dns/Makefile.in
external/bsd/bind/dist/lib/export/dns/include/dst/Makefile.in
external/bsd/bind/dist/lib/export/irs/include/irs/Makefile.in
external/bsd/bind/dist/lib/export/isc/Makefile.in
external/bsd/bind/dist/lib/export/isc/include/isc/Makefile.in
external/bsd/bind/dist/lib/export/isc/nls/Makefile.in
external/bsd/bind/dist/lib/export/isc/nothreads/Makefile.in
external/bsd/bind/dist/lib/export/isc/nothreads/include/isc/Makefile.in
external/bsd/bind/dist/lib/export/isc/pthreads/Makefile.in
external/bsd/bind/dist/lib/export/isc/pthreads/include/isc/Makefile.in
external/bsd/bind/dist/lib/export/isc/unix/Makefile.in
external/bsd/bind/dist/lib/export/isc/unix/include/isc/Makefile.in
external/bsd/bind/dist/lib/export/isccfg/include/isccfg/Makefile.in
external/bsd/bind/dist/lib/export/samples/Makefile-postinstall.in
external/bsd/bind/dist/lib/export/samples/Makefile.in
external/bsd/bind/dist/lib/irs/Makefile.in
external/bsd/bind/dist/lib/irs/include/Makefile.in
external/bsd/bind/dist/lib/irs/include/irs/Makefile.in
external/bsd/bind/dist/lib/isc/alpha/Makefile.in
external/bsd/bind/dist/lib/isc/alpha/include/Makefile.in
external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/api
external/bsd/bind/dist/lib/isc/ia64/Makefile.in
external/bsd/bind/dist/lib/isc/ia64/include/Makefile.in
external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/ia64/include/isc/atomic.h
external/bsd/bind/dist/lib/isc/include/Makefile.in
external/bsd/bind/dist/lib/isc/include/isc/file.h
external/bsd/bind/dist/lib/isc/include/isc/heap.h
external/bsd/bind/dist/lib/isc/include/isc/list.h
external/bsd/bind/dist/lib/isc/include/isc/namespace.h
external/bsd/bind/dist/lib/isc/include/isc/queue.h
external/bsd/bind/dist/lib/isc/include/isc/task.h
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/mips/Makefile.in
external/bsd/bind/dist/lib/isc/mips/include/Makefile.in
external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/nls/Makefile.in
external/bsd/bind/dist/lib/isc/noatomic/Makefile.in
external/bsd/bind/dist/lib/isc/noatomic/include/Makefile.in
external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/nothreads/Makefile.in
external/bsd/bind/dist/lib/isc/nothreads/include/Makefile.in
external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/powerpc/Makefile.in
external/bsd/bind/dist/lib/isc/powerpc/include/Makefile.in
external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/pthreads/Makefile.in
external/bsd/bind/dist/lib/isc/pthreads/condition.c
external/bsd/bind/dist/lib/isc/pthreads/include/Makefile.in
external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/sparc64/Makefile.in
external/bsd/bind/dist/lib/isc/sparc64/include/Makefile.in
external/bsd/bind/dist/lib/isc/sparc64/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/task.c
external/bsd/bind/dist/lib/isc/task_api.c
external/bsd/bind/dist/lib/isc/tests/isctest.c
external/bsd/bind/dist/lib/isc/tests/isctest.h
external/bsd/bind/dist/lib/isc/tests/queue_test.c
external/bsd/bind/dist/lib/isc/unix/Makefile.in
external/bsd/bind/dist/lib/isc/unix/file.c
external/bsd/bind/dist/lib/isc/unix/include/Makefile.in
external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/win32/Makefile.in
external/bsd/bind/dist/lib/isc/win32/file.c
external/bsd/bind/dist/lib/isc/win32/include/Makefile.in
external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/win32/include/isc/stat.h
external/bsd/bind/dist/lib/isc/win32/libisc.def
external/bsd/bind/dist/lib/isc/x86_32/Makefile.in
external/bsd/bind/dist/lib/isc/x86_32/include/Makefile.in
external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in
external/bsd/bind/dist/lib/isc/x86_64/Makefile.in
external/bsd/bind/dist/lib/isc/x86_64/include/Makefile.in
external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in
external/bsd/bind/dist/lib/isccc/api
external/bsd/bind/dist/lib/isccc/cc.c
external/bsd/bind/dist/lib/isccc/include/Makefile.in
external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in
external/bsd/bind/dist/lib/isccfg/api
external/bsd/bind/dist/lib/isccfg/include/Makefile.in
external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in
external/bsd/bind/dist/lib/isccfg/namedconf.c
external/bsd/bind/dist/lib/lwres/Makefile.in
external/bsd/bind/dist/lib/lwres/api
external/bsd/bind/dist/lib/lwres/getaddrinfo.c
external/bsd/bind/dist/lib/lwres/include/Makefile.in
external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in
external/bsd/bind/dist/lib/lwres/man/Makefile.in
external/bsd/bind/dist/lib/lwres/unix/Makefile.in
external/bsd/bind/dist/lib/lwres/unix/include/Makefile.in
external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in
external/bsd/bind/dist/lib/lwres/win32/Makefile.in
external/bsd/bind/dist/lib/lwres/win32/include/Makefile.in
external/bsd/bind/dist/lib/lwres/win32/include/lwres/Makefile.in
external/bsd/bind/dist/lib/tests/Makefile.in
external/bsd/bind/dist/lib/tests/include/Makefile.in
external/bsd/bind/dist/lib/tests/include/tests/Makefile.in
external/bsd/bind/dist/make/Makefile.in
external/bsd/bind/dist/make/includes.in
external/bsd/bind/dist/make/rules.in
external/bsd/bind/dist/srcid
external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_test.c
external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity.h
external/bsd/bind/dist/unit/atf-src/atf-c/detail/text_test.c
external/bsd/bind/dist/unit/atf-src/atf-c/macros.h
external/bsd/bind/dist/version
external/bsd/bind/include/config.h
external/bsd/bind/lib/libbind9/shlib_version
external/bsd/bind/lib/libdns/Makefile
external/bsd/bind/lib/libdns/shlib_version
external/bsd/bind/lib/libisc/shlib_version
external/bsd/bind/lib/libisccc/shlib_version
external/bsd/bind/lib/libisccfg/shlib_version
external/bsd/bind/lib/liblwres/shlib_version
--- a/distrib/sets/lists/base/ad.mips64eb	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/ad.mips64eb	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ad.mips64eb,v 1.82.2.6 2012/12/13 23:50:28 riz Exp $
+# $NetBSD: ad.mips64eb,v 1.82.2.7 2012/12/15 05:40:17 riz Exp $
 ./libexec/ld.elf_so-64				base-compat-shlib	compat,pic
 ./libexec/ld.elf_so-o32				base-sysutil-bin	compat,pic
 ./usr/lib/64					base-compat-lib
@@ -58,7 +58,7 @@
 ./usr/lib/64/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/64/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/64/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libbluetooth.so.4			base-compat-shlib	compat,pic
 ./usr/lib/64/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/64/libbsdmalloc.so.0			base-compat-shlib	compat,pic
@@ -84,7 +84,7 @@
 ./usr/lib/64/libdm.so.0				base-compat-shlib	compat,pic
 ./usr/lib/64/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/64/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/64/libdns_sd.so.0.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/64/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -124,11 +124,11 @@
 ./usr/lib/64/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/64/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/64/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisccfg.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisccfg.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/64/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/64/libisns.so.0			base-compat-shlib	compat,pic
@@ -154,7 +154,7 @@
 ./usr/lib/64/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/64/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzma.so.1			base-compat-shlib	compat,pic
@@ -365,7 +365,7 @@
 ./usr/lib/o32/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/o32/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/o32/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libbluetooth.so.4			base-compat-shlib	compat,pic
 ./usr/lib/o32/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/o32/libbsdmalloc.so.0			base-compat-shlib	compat,pic
@@ -389,7 +389,7 @@
 ./usr/lib/o32/libdm.so.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/o32/libdns_sd.so.0.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/o32/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -429,11 +429,11 @@
 ./usr/lib/o32/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/o32/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisccfg.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisccfg.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/o32/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/o32/libisns.so.0			base-compat-shlib	compat,pic
@@ -459,7 +459,7 @@
 ./usr/lib/o32/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzma.so.1			base-compat-shlib	compat,pic
--- a/distrib/sets/lists/base/ad.mips64el	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/ad.mips64el	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ad.mips64el,v 1.81.2.6 2012/12/13 23:50:28 riz Exp $
+# $NetBSD: ad.mips64el,v 1.81.2.7 2012/12/15 05:40:17 riz Exp $
 ./libexec/ld.elf_so-64				base-compat-shlib	compat,pic
 ./libexec/ld.elf_so-o32				base-sysutil-bin	compat,pic
 ./usr/lib/64					base-compat-lib
@@ -58,7 +58,7 @@
 ./usr/lib/64/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/64/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/64/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libbluetooth.so.4			base-compat-shlib	compat,pic
 ./usr/lib/64/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/64/libbsdmalloc.so.0			base-compat-shlib	compat,pic
@@ -84,7 +84,7 @@
 ./usr/lib/64/libdm.so.0				base-compat-shlib	compat,pic
 ./usr/lib/64/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/64/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/64/libdns_sd.so.0.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/64/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -124,11 +124,11 @@
 ./usr/lib/64/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/64/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/64/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/libisccfg.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/libisccfg.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/64/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/64/libisns.so.0			base-compat-shlib	compat,pic
@@ -154,7 +154,7 @@
 ./usr/lib/64/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/64/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/64/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/64/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/64/liblzma.so.1			base-compat-shlib	compat,pic
@@ -365,7 +365,7 @@
 ./usr/lib/o32/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/o32/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/o32/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libbluetooth.so.4			base-compat-shlib	compat,pic
 ./usr/lib/o32/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/o32/libbsdmalloc.so.0			base-compat-shlib	compat,pic
@@ -389,7 +389,7 @@
 ./usr/lib/o32/libdm.so.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/o32/libdns_sd.so.0.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/o32/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -429,11 +429,11 @@
 ./usr/lib/o32/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/o32/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/libisccfg.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/libisccfg.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/o32/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/o32/libisns.so.0			base-compat-shlib	compat,pic
@@ -459,7 +459,7 @@
 ./usr/lib/o32/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/o32/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/o32/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/o32/liblzma.so.1			base-compat-shlib	compat,pic
--- a/distrib/sets/lists/base/md.amd64	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/md.amd64	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: md.amd64,v 1.156.2.6 2012/12/13 23:50:28 riz Exp $
+# $NetBSD: md.amd64,v 1.156.2.7 2012/12/15 05:40:17 riz Exp $
 ./dev/lms0					base-obsolete		obsolete
 ./dev/mms0					base-obsolete		obsolete
 ./libexec/ld.elf_so-i386			base-sys-shlib		compat,pic
@@ -61,7 +61,7 @@
 ./usr/lib/i386/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/i386/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/i386/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/libbluetooth.so.4		base-compat-shlib	compat,pic
 ./usr/lib/i386/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/i386/libbsdmalloc.so.0		base-compat-shlib	compat,pic
@@ -93,7 +93,7 @@
 ./usr/lib/i386/libdm.so.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/i386/libdns_sd.so.0.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/i386/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -133,11 +133,11 @@
 ./usr/lib/i386/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/i386/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/libisccfg.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/libisccfg.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/i386/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/i386/libisns.so.0			base-compat-shlib	compat,pic
@@ -164,7 +164,7 @@
 ./usr/lib/i386/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/i386/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/i386/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/i386/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/i386/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/i386/liblzma.so.1			base-compat-shlib	compat,pic
--- a/distrib/sets/lists/base/md.sparc64	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/md.sparc64	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: md.sparc64,v 1.147.2.6 2012/12/13 23:50:28 riz Exp $
+# $NetBSD: md.sparc64,v 1.147.2.7 2012/12/15 05:40:17 riz Exp $
 ./libexec/ld.elf_so-sparc			base-sysutil-bin	compat,pic
 ./sbin/edlabel					base-sysutil-root	obsolete
 ./usr/bin/fdformat				base-util-bin
@@ -59,7 +59,7 @@
 ./usr/lib/sparc/libbfd.so.12			base-compat-shlib	compat,pic,binutils
 ./usr/lib/sparc/libbfd.so.12.0			base-compat-shlib	compat,pic,binutils
 ./usr/lib/sparc/libbind9.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/libbind9.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/sparc/libbind9.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libbluetooth.so.4		base-compat-shlib	compat,pic
 ./usr/lib/sparc/libbluetooth.so.4.2		base-compat-shlib	compat,pic
 ./usr/lib/sparc/libbsdmalloc.so.0		base-compat-shlib	compat,pic
@@ -85,7 +85,7 @@
 ./usr/lib/sparc/libdm.so.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libdm.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libdns.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/libdns.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/sparc/libdns.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libdns_sd.so.0			base-compat-shlib	compat,pic,mdns
 ./usr/lib/sparc/libdns_sd.so.0.0		base-compat-shlib	compat,pic,mdns
 ./usr/lib/sparc/libdwarf.so.0			base-compat-shlib	compat,pic
@@ -125,11 +125,11 @@
 ./usr/lib/sparc/libipsec.so.3			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libipsec.so.3.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libisc.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/libisc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/sparc/libisc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libisccc.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/libisccc.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/sparc/libisccc.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/sparc/libisccfg.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/libisccfg.so.5.7		base-compat-shlib	compat,pic
+./usr/lib/sparc/libisccfg.so.5.8		base-compat-shlib	compat,pic
 ./usr/lib/sparc/libiscsi.so.2			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/sparc/libiscsi.so.2.0			base-compat-shlib	compat,pic,iscsi
 ./usr/lib/sparc/libisns.so.0			base-compat-shlib	compat,pic
@@ -156,7 +156,7 @@
 ./usr/lib/sparc/liblua.so.1			base-compat-shlib	compat,pic
 ./usr/lib/sparc/liblua.so.1.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/liblwres.so.5			base-compat-shlib	compat,pic
-./usr/lib/sparc/liblwres.so.5.7			base-compat-shlib	compat,pic
+./usr/lib/sparc/liblwres.so.5.8			base-compat-shlib	compat,pic
 ./usr/lib/sparc/liblzf.so.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/liblzf.so.0.0			base-compat-shlib	compat,pic
 ./usr/lib/sparc/liblzma.so.1			base-compat-shlib	compat,pic
--- a/distrib/sets/lists/base/mi	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/mi	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.984.2.13 2012/11/29 00:09:44 riz Exp $
+# $NetBSD: mi,v 1.984.2.14 2012/12/15 05:40:17 riz Exp $
 #
 # Note:	Don't delete entries from here - mark them as "obsolete" instead,
 #	unless otherwise stated below.
@@ -1209,6 +1209,7 @@
 ./usr/sbin/dnssec-settime			base-bind-bin
 ./usr/sbin/dnssec-signkey			base-obsolete		obsolete
 ./usr/sbin/dnssec-signzone			base-bind-bin
+./usr/sbin/dnssec-verify			base-bind-bin
 ./usr/sbin/download-vulnerability-list		base-pkgutil-bin	crypto
 ./usr/sbin/dtmfdecode				base-isdn-bin
 ./usr/sbin/dtrace				base-debug-bin		dtrace
--- a/distrib/sets/lists/base/shl.mi	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/base/shl.mi	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.616.2.7 2012/11/30 04:27:54 msaitoh Exp $
+# $NetBSD: shl.mi,v 1.616.2.8 2012/12/15 05:40:18 riz Exp $
 #
 # Note:	Don't delete entries from here - mark them as "obsolete" instead,
 #	unless otherwise stated below.
@@ -164,7 +164,7 @@
 ./usr/lib/libbfd.so.12.0			base-sys-shlib		binutils
 ./usr/lib/libbind9.so				base-bind-shlib
 ./usr/lib/libbind9.so.5				base-bind-shlib
-./usr/lib/libbind9.so.5.7			base-bind-shlib
+./usr/lib/libbind9.so.5.8			base-bind-shlib
 ./usr/lib/libbluetooth.so			base-sys-shlib
 ./usr/lib/libbluetooth.so.4			base-sys-shlib
 ./usr/lib/libbluetooth.so.4.2			base-sys-shlib
@@ -208,7 +208,7 @@
 ./usr/lib/libdm.so.0.0				base-sys-shlib
 ./usr/lib/libdns.so				base-bind-shlib
 ./usr/lib/libdns.so.5				base-bind-shlib
-./usr/lib/libdns.so.5.7				base-bind-shlib
+./usr/lib/libdns.so.5.8				base-bind-shlib
 ./usr/lib/libdns_sd.so				base-mdns-shlib		mdns
 ./usr/lib/libdns_sd.so.0			base-mdns-shlib		mdns
 ./usr/lib/libdns_sd.so.0.0			base-mdns-shlib		mdns
@@ -271,13 +271,13 @@
 ./usr/lib/libipsec.so.3.0			base-net-shlib
 ./usr/lib/libisc.so				base-bind-shlib
 ./usr/lib/libisc.so.5				base-bind-shlib
-./usr/lib/libisc.so.5.7				base-bind-shlib
+./usr/lib/libisc.so.5.8				base-bind-shlib
 ./usr/lib/libisccc.so				base-bind-shlib
 ./usr/lib/libisccc.so.5				base-bind-shlib
-./usr/lib/libisccc.so.5.7			base-bind-shlib
+./usr/lib/libisccc.so.5.8			base-bind-shlib
 ./usr/lib/libisccfg.so				base-bind-shlib
 ./usr/lib/libisccfg.so.5			base-bind-shlib
-./usr/lib/libisccfg.so.5.7			base-bind-shlib
+./usr/lib/libisccfg.so.5.8			base-bind-shlib
 ./usr/lib/libiscsi.so				base-iscsi-shlib	iscsi
 ./usr/lib/libiscsi.so.2				base-iscsi-shlib	iscsi
 ./usr/lib/libiscsi.so.2.0			base-iscsi-shlib	iscsi
@@ -320,7 +320,7 @@
 ./usr/lib/liblua.so.1.0				base-sys-shlib
 ./usr/lib/liblwres.so				base-bind-shlib
 ./usr/lib/liblwres.so.5				base-bind-shlib
-./usr/lib/liblwres.so.5.7			base-bind-shlib
+./usr/lib/liblwres.so.5.8			base-bind-shlib
 ./usr/lib/liblzma.so				base-sys-shlib
 ./usr/lib/liblzma.so.1				base-sys-shlib
 ./usr/lib/liblzma.so.1.1			base-sys-shlib
--- a/distrib/sets/lists/man/mi	Thu Dec 13 23:51:40 2012 +0000
+++ b/distrib/sets/lists/man/mi	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1379.2.8 2012/11/28 21:34:37 riz Exp $
+# $NetBSD: mi,v 1.1379.2.9 2012/12/15 05:40:18 riz Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -2267,6 +2267,7 @@
 ./usr/share/man/cat8/dnssec-settime.0		man-bind-catman		.cat
 ./usr/share/man/cat8/dnssec-signkey.0		man-obsolete		obsolete
 ./usr/share/man/cat8/dnssec-signzone.0		man-bind-catman		.cat
+./usr/share/man/cat8/dnssec-verify.0		man-bind-catman		.cat
 ./usr/share/man/cat8/dreamcast/MAKEDEV.0	man-obsolete		obsolete
 ./usr/share/man/cat8/dreamcast/boot.0		man-sysutil-catman	.cat
 ./usr/share/man/cat8/dreamcast/makedev.0	man-obsolete		obsolete
@@ -4998,6 +4999,7 @@
 ./usr/share/man/html8/dnssec-revoke.html	man-bind-htmlman	html
 ./usr/share/man/html8/dnssec-settime.html	man-bind-htmlman	html
 ./usr/share/man/html8/dnssec-signzone.html	man-bind-htmlman	html
+./usr/share/man/html8/dnssec-verify.html	man-bind-htmlman	html
 ./usr/share/man/html8/dreamcast/boot.html	man-sysutil-htmlman	html
 ./usr/share/man/html8/drvctl.html		man-sysutil-htmlman	html
 ./usr/share/man/html8/dump.html			man-sysutil-htmlman	html
@@ -7789,6 +7791,7 @@
 ./usr/share/man/man8/dnssec-settime.8		man-bind-man		.man
 ./usr/share/man/man8/dnssec-signkey.8		man-obsolete		obsolete
 ./usr/share/man/man8/dnssec-signzone.8		man-bind-man		.man
+./usr/share/man/man8/dnssec-verify.8		man-bind-man		.man
 ./usr/share/man/man8/dreamcast/MAKEDEV.8	man-obsolete		obsolete
 ./usr/share/man/man8/dreamcast/boot.8		man-sysutil-man		.man
 ./usr/share/man/man8/dreamcast/makedev.8	man-obsolete		obsolete
--- a/external/bsd/bind/bin/dnssec/Makefile	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/bin/dnssec/Makefile	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-#	$NetBSD: Makefile,v 1.2 2009/10/25 00:18:39 christos Exp $
+#	$NetBSD: Makefile,v 1.2.8.1 2012/12/15 05:39:18 riz Exp $
 
 SUBDIR= dnssec-dsfromkey dnssec-keyfromlabel dnssec-keygen dnssec-signzone \
-	dnssec-settime dnssec-revoke
+	dnssec-settime dnssec-revoke dnssec-verify
 
 .include "Makefile.inc"
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/bind/bin/dnssec/dnssec-verify/Makefile	Sat Dec 15 05:39:18 2012 +0000
@@ -0,0 +1,7 @@
+#	$NetBSD: Makefile,v 1.1.2.2 2012/12/15 05:39:18 riz Exp $
+
+BASE=	${.CURDIR:T}
+
+.include "${.CURDIR}/../Makefile.inc"
+
+.include <bsd.prog.mk>
--- a/external/bsd/bind/dist/CHANGES	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/CHANGES	Sat Dec 15 05:39:18 2012 +0000
@@ -1,18 +1,92 @@
-	--- 9.9.1-P4 released ---
+	--- 9.9.2-P1 released ---
+
+3407.	[security]	Named could die on specific queries with dns64 enabled.
+			[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
+
+	--- 9.9.2 released ---
 
 3383.	[security]	A certain combination of records in the RBT could
                         cause named to hang while populating the additional
                         section of a response. [RT #31090]
 
-	--- 9.9.1-P3 released ---
+3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 
 3364.	[security]	Named could die on specially crafted record.
 			[RT #30416]
 
-	--- 9.9.1-P2 released ---
+	--- 9.9.2rc1 released ---
+
+3370.	[bug]		Address use after free while shutting down. [RT #30241]
+
+3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
+			if built with readline support. [RT #29550]
+
+3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
+			were not C++ safe.
+
+3367.	[bug]		dns_dnsseckey_create() result was not being checked.
+			[RT #30685]
+
+3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
+			atomic operations. [RT #25181]
+
+3365.	[bug]		Removed spurious newlines from log messages in
+			zone.c [RT #30675]
+
+3363.	[bug]		Need to allow "forward" and "fowarders" options
+			in static-stub zones; this had been overlooked.
+			[RT #30482]
+
+3362.	[bug]		Setting some option values to 0 in named.conf
+			could trigger an assertion failure on startup.
+			[RT #27730]
+
+3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
+			when salt was set to '-' (no salt). [RT #30099]
+
+3360.	[bug]		'host -w' could die.  [RT #18723]
+
+3359.	[bug]		An improperly-formed TSIG secret could cause a
+			memory leak. [RT #30607]
+
+3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
+
+3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
+			approaching their expiry, so they don't remain
+			in caches after expiry. [RT #26429]
+
+3355.	[port]		Use more portable awk in verify system test.
+
+3354.	[func]		Improve OpenSSL error logging. [RT #29932]
+
+	--- 9.9.2b1 released ---
+
+3353.	[bug]		Use a single task for task exclusive operations.
+			[RT #29872]
+
+3352.	[bug]		Ensure that learned server attributes timeout of the
+			adb cache. [RT #29856]
+
+3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
+			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
+			memory debugging flags are set. [RT #30243]
+
+3350.	[bug]		Memory read overrun in isc___mem_reallocate if
+			ISC_MEM_DEBUGCTX memory debugging flag is set.
+			[RT #30240]
 
 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 
+3348.	[bug]		Prevent RRSIG data from being cached if a negative
+			record matching the covering type exists at a higher
+			trust level. Such data already can't be retrieved from
+			the cache since change 3218 -- this prevents it
+			being inserted into the cache as well. [RT #26809]
+
+3347.	[bug]		dnssec-settime: Issue a warning when writing a new
+			private key file would cause a change in the
+			permissions of the existing file. [RT #27724]
+
 3346.	[security]	Bad-cache data could be used before it was
 			initialized, causing an assert. [RT #30025]
 
@@ -20,15 +94,73 @@
 			or inserting the first item in an ISC_QUEUE.
 			[RT #29539]
 
+3344.	[func]		New "dnssec-checkds" command checks a zone to
+			determine which DS records should be published
+			in the parent zone, or which DLV records should be
+			published in a DLV zone, and queries the DNS to
+			ensure that it exists. (Note: This tool depends
+			on python; it will not be built or installed on
+			systems that do not have a python interpreter.)
+			[RT #28099]
+
 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 			resulting in excessive cpu usage in some cases.
 			[RT #29952]
 
-	--- 9.9.1-P1 released ---
+3341.	[func]		New "dnssec-verify" command checks a signed zone
+			to ensure correctness of signatures and of NSEC/NSEC3
+			chains. [RT #23673]
+
+3339.	[func]		Allow the maximum supported rsa exponent size to be
+			specified: "max-rsa-exponent-size <value>;" [RT #29228]
+
+3338.	[bug]		Address race condition in units tests: asyncload_zone
+			and asyncload_zt. [RT #26100]
+
+3337.	[bug]		Change #3294 broke support for the multiple keys
+			in controls. [RT #29694]
+
+3335.	[func]		nslookup: return a nonzero exit code when unable
+			to get an answer. [RT #29492]
+
+3334.	[bug]		Hold a zone table reference while performing a
+			asyncronous load of a zone. [RT #28326]
+
+3333.	[bug]		Setting resolver-query-timeout too low can cause
+			named to not recover if it loses connectivity.
+			[RT #29623]
+
+3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 
 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 			rdataslabs. [RT #29644]
-			
+
+3330.	[func]		Fix missing signatures on NOERROR results despite
+			RPZ rewriting.  Also
+			 - add optional "recursive-only yes|no" to the
+			   response-policy statement
+			 - add optional "max-policy-ttl" to the response-policy
+			    statement to limit the false data that
+			    "recursive-only no" can introduce into
+			    resolvers' caches
+			 - add a RPZ performance test to bin/tests/system/rpz
+			     when queryperf is available.
+			 - the encoding of PASSTHRU action to "rpz-passthru".
+			     (The old encoding is still accepted.)
+		       [RT #26172]
+
+
+3329.	[bug]		Handle RRSIG signer-name case consistently: We
+			generate RRSIG records with the signer-name in
+			lower case.  We accept them with any case, but if
+			they fail to validate, we try again in lower case.
+			[RT #27451]
+
+3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
+			[RT #29401]
+
+3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
+
 	--- 9.9.1 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a
--- a/external/bsd/bind/dist/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/README	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/README	Sat Dec 15 05:39:18 2012 +0000
@@ -51,6 +51,11 @@
         For up-to-date release notes and errata, see
         http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.9.2
+
+	BIND 9.9.2 is a maintenance release and patches the security
+	flaw described in CVE-2012-4244.
+
 BIND 9.9.1
 
 	BIND 9.9.1 is a maintenance release.
@@ -178,7 +183,8 @@
 
 	    CFLAGS
 		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  
+		as supported by the compiler.  Please include '-g'
+		if you need to set CFLAGS.
 
 	    STD_CINCLUDES
 		System header file directories.	 Can be used to specify
@@ -295,6 +301,10 @@
 	libraries.  sh-utils-1.16 provides a "printf" which compiles
 	on SunOS 4.
 
+Known limitations
+
+	Linux requires kernel build 2.6.39 or later to get the
+	performance benefits from using multiple sockets.
 
 Documentation
 
--- a/external/bsd/bind/dist/acconfig.h	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/acconfig.h	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: acconfig.h,v 1.4.6.1 2012/06/05 21:15:24 bouyer Exp $	*/
+/*	$NetBSD: acconfig.h,v 1.4.6.2 2012/12/15 05:39:19 riz Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -140,6 +140,9 @@
 /* Define if OpenSSL includes DSA support */
 #undef HAVE_OPENSSL_DSA
 
+/* Define if OpenSSL includes ECDSA support */
+#undef HAVE_OPENSSL_ECDSA
+
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T
 
--- a/external/bsd/bind/dist/bin/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -20,7 +20,7 @@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig dnssec tests tools nsupdate \
-		check confgen @PKCS11_TOOLS@
+		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
 TARGETS =
 
 @BIND9_MAKE_RULES@
--- a/external/bsd/bind/dist/bin/check/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/check/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/bin/check/check-tool.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/check/check-tool.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: check-tool.c,v 1.2.6.1 2012/06/05 21:15:45 bouyer Exp $	*/
+/*	$NetBSD: check-tool.c,v 1.2.6.2 2012/12/15 05:39:22 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
@@ -642,6 +642,9 @@
 {
 	isc_result_t result;
 	FILE *output = stdout;
+	const char *flags;
+
+	flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
 
 	if (debug) {
 		if (filename != NULL && strcmp(filename, "-") != 0)
@@ -652,7 +655,7 @@
 	}
 
 	if (filename != NULL && strcmp(filename, "-") != 0) {
-		result = isc_stdio_open(filename, "w+", &output);
+		result = isc_stdio_open(filename, flags, &output);
 
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stderr, "could not open output "
--- a/external/bsd/bind/dist/bin/confgen/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/confgen/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
--- a/external/bsd/bind/dist/bin/confgen/unix/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/confgen/unix/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
--- a/external/bsd/bind/dist/bin/dig/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dig/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/bin/dig/nslookup.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: nslookup.c,v 1.3.4.1 2012/06/05 21:15:40 bouyer Exp $	*/
+/*	$NetBSD: nslookup.c,v 1.3.4.2 2012/12/15 05:39:22 riz Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -67,6 +67,7 @@
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
 static isc_event_t *global_event = NULL;
+static int query_error = 1, print_error = 0;
 
 static char domainopt[DNS_NAME_MAXTEXT];
 
@@ -416,6 +417,9 @@
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
+	/* I've we've gotten this far, we've reached a server. */
+	query_error = 0;
+
 	debug("printmessage()");
 
 	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
@@ -443,6 +447,9 @@
 		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
 		       query->lookup->textname, rcode_totext(msg->rcode));
 		debug("returning with rcode == 0");
+
+		/* the lookup failed */
+		print_error |= 1;
 		return (ISC_R_SUCCESS);
 	}
 
@@ -911,5 +918,5 @@
 	destroy_libs();
 	isc_app_finish();
 
-	return (0);
+	return (query_error | print_error);
 }
--- a/external/bsd/bind/dist/bin/dnssec/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# Id: Makefile.in,v 1.42 2009/12/05 23:31:40 each Exp 
+# Id: Makefile.in,v 1.42.332.1 2011/03/16 06:37:51 each Exp 
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,19 +44,23 @@
 # Alphabetically
 TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
 		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
-		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
+		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
+		dnssec-verify@EXEEXT@
 
 OBJS =		dnssectool.@O@
 
 SRCS =		dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
-		dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
+		dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
+		dnssec-verify.c dnssectool.c
 
 MANPAGES =	dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
-		dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
+		dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
+		dnssec-verify.8
 
 HTMLPAGES =	dnssec-dsfromkey.html dnssec-keyfromlabel.html \
 		dnssec-keygen.html dnssec-revoke.html \
-		dnssec-settime.html dnssec-signzone.html 
+		dnssec-settime.html dnssec-signzone.html \
+		dnssec-verify.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
@@ -82,6 +86,14 @@
 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
 
+dnssec-verify.@O@: dnssec-verify.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-verify.c
+
+dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
 dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-revoke.@O@ ${OBJS} ${LIBS}
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Sat Dec 15 05:39:18 2012 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-dsfromkey.8,v 1.3.4.1 2012/06/05 21:15:17 bouyer Exp $
+.\"	$NetBSD: dnssec-dsfromkey.8,v 1.3.4.2 2012/12/15 05:39:22 riz Exp $
 .\"
-.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -57,7 +57,7 @@
 .RS 4
 Select the digest algorithm. The value of
 \fBalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
 .RE
 .PP
 \-T \fITTL\fR
@@ -155,5 +155,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.3.4.1 2012/06/05 21:15:18 bouyer Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.3.4.2 2012/12/15 05:39:22 riz Exp $	*/
 
 /*
- * Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -329,7 +329,7 @@
 	fprintf(stderr, "    -K <directory>: directory in which to find "
 			"key file or keyset file\n");
 	fprintf(stderr, "    -a algorithm: digest algorithm "
-			"(SHA-1, SHA-256 or GOST)\n");
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
 	fprintf(stderr, "    -1: use SHA-1\n");
 	fprintf(stderr, "    -2: use SHA-256\n");
 	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
@@ -452,6 +452,9 @@
 		else if (strcasecmp(algname, "GOST") == 0)
 			dtype = DNS_DSDIGEST_GOST;
 #endif
+		else if (strcasecmp(algname, "SHA384") == 0 ||
+			 strcasecmp(algname, "SHA-384") == 0)
+			dtype = DNS_DSDIGEST_SHA384;
 		else
 			fatal("unknown algorithm %s", algname);
 	}
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook	Sat Dec 15 05:39:18 2012 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +40,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2011</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -110,7 +111,8 @@
           <para>
             Select the digest algorithm. The value of
             <option>algorithm</option> must be one of SHA-1 (SHA1),
-            SHA-256 (SHA256) or GOST. These values are case insensitive.
+            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+            These values are case insensitive.
           </para>
         </listitem>
       </varlistentry>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html	Sat Dec 15 05:39:18 2012 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -32,14 +32,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543485"></a><h2>DESCRIPTION</h2>
+<a name="id2543489"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543497"></a><h2>OPTIONS</h2>
+<a name="id2543500"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -54,7 +54,8 @@
 <dd><p>
             Select the digest algorithm. The value of
             <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
-            SHA-256 (SHA256) or GOST. These values are case insensitive.
+            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+            These values are case insensitive.
           </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
 <dd><p>
@@ -115,7 +116,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543723"></a><h2>EXAMPLE</h2>
+<a name="id2543726"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -130,7 +131,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543753"></a><h2>FILES</h2>
+<a name="id2543756"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -144,13 +145,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543788"></a><h2>CAVEAT</h2>
+<a name="id2543792"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543798"></a><h2>SEE ALSO</h2>
+<a name="id2543801"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -160,7 +161,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543837"></a><h2>AUTHOR</h2>
+<a name="id2543841"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8	Sat Dec 15 05:39:18 2012 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.4.4.1 2012/06/05 21:15:18 bouyer Exp $
+.\"	$NetBSD: dnssec-keyfromlabel.8,v 1.4.4.2 2012/12/15 05:39:23 riz Exp $
 .\"
-.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -49,7 +49,7 @@
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -226,5 +226,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.6.4.1 2012/06/05 21:15:17 bouyer Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.6.4.2 2012/12/15 05:39:23 riz Exp $	*/
 
 /*
- * Copyright (C) 2007-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -57,7 +57,8 @@
 
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1 |"
-			  " RSASHA256 | RSASHA512 | ECCGOST";
+			  " RSASHA256 | RSASHA512 | ECCGOST |"
+			  " ECDSAP256SHA256 | ECDSAP384SHA384";
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -380,7 +381,8 @@
 	if (use_nsec3 &&
 	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 	    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
-	    alg != DST_ALG_ECCGOST) {
+	    alg != DST_ALG_ECCGOST &&
+	    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
 		fatal("%s is incompatible with NSEC3; "
 		      "do not use the -3 option", algname);
 	}
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook	Sat Dec 15 05:39:18 2012 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +40,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2011</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -95,7 +96,8 @@
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
             <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </para>
           <para>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html	Sat Dec 15 05:39:18 2012 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543504"></a><h2>DESCRIPTION</h2>
+<a name="id2543507"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,14 +44,15 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543522"></a><h2>OPTIONS</h2>
+<a name="id2543525"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
 	    Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </p>
 <p>
@@ -172,7 +173,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543977"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543980"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +220,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543051"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2543054"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -258,7 +259,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543124"></a><h2>SEE ALSO</h2>
+<a name="id2543127"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -266,7 +267,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543157"></a><h2>AUTHOR</h2>
+<a name="id2543160"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Sat Dec 15 05:39:18 2012 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-keygen.8,v 1.3.4.1 2012/06/05 21:15:17 bouyer Exp $
+.\"	$NetBSD: dnssec-keygen.8,v 1.3.4.2 2012/12/15 05:39:23 riz Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -35,7 +35,7 @@
 dnssec\-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -50,7 +50,7 @@
 .RS 4
 Selects the cryptographic algorithm. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -65,7 +65,7 @@
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
+Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
 .sp
 The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
 \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
@@ -83,7 +83,7 @@
 .PP
 \-3
 .RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
 .RE
 .PP
 \-C
@@ -105,11 +105,6 @@
 Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
 .RE
 .PP
-\-e
-.RS 4
-If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.RE
-.PP
 \-f \fIflag\fR
 .RS 4
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
@@ -309,7 +304,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.7.4.1 2012/06/05 21:15:17 bouyer Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.7.4.2 2012/12/15 05:39:23 riz Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -87,6 +87,7 @@
 	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
 				" | NSEC3DSA |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
+	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
 				"HMAC-SHA256 | \n");
 	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
@@ -104,6 +105,8 @@
 	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
 				"by 64\n");
 	fprintf(stderr, "        ECCGOST:\tignored\n");
+	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
+	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
 	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
 	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
@@ -123,7 +126,6 @@
 #else
 	fprintf(stderr, "    -E <engine name>\n");
 #endif
-	fprintf(stderr, "    -e: use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
 	fprintf(stderr, "    -g <generator>: use specified generator "
 			"(DH only)\n");
@@ -211,7 +213,7 @@
 	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
 	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
-	int		ch, rsa_exp = 0, generator = 0, param = 0;
+	int		ch, generator = 0, param = 0;
 	int		protocol = -1, size = -1, signatory = 0;
 	isc_result_t	ret;
 	isc_textregion_t r;
@@ -310,7 +312,9 @@
 			engine = isc_commandline_argument;
 			break;
 		case 'e':
-			rsa_exp = 1;
+			fprintf(stderr,
+				"phased-out option -e "
+				"(was 'use (RSA) large exponent)\n");
 			break;
 		case 'f':
 			c = (unsigned char)(isc_commandline_argument[0]);
@@ -559,7 +563,8 @@
 		if (use_nsec3 &&
 		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
-		    alg != DST_ALG_ECCGOST) {
+		    alg != DST_ALG_ECCGOST &&
+		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
 			fatal("%s is incompatible with NSEC3; "
 			      "do not use the -3 option", algname);
 		}
@@ -591,7 +596,9 @@
 					fprintf(stderr, "key size not "
 							"specified; defaulting "
 							"to %d\n", size);
-			} else if (alg != DST_ALG_ECCGOST)
+			} else if (alg != DST_ALG_ECCGOST &&
+				   alg != DST_ALG_ECDSA256 &&
+				   alg != DST_ALG_ECDSA384)
 				fatal("key size not specified (-b option)");
 		}
 
@@ -720,6 +727,8 @@
 			fatal("invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
 		break;
 	case DST_ALG_HMACMD5:
 		options |= DST_TYPE_KEY;
@@ -783,12 +792,6 @@
 		break;
 	}
 
-	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
-	      alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
-	      alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) &&
-	    rsa_exp != 0)
-		fatal("specified RSA exponent for a non-RSA key");
-
 	if (alg != DNS_KEYALG_DH && generator != 0)
 		fatal("specified DH generator for a non-DH key");
 
@@ -848,7 +851,6 @@
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
 	case DNS_KEYALG_RSASHA512:
-		param = rsa_exp;
 		show_progress = ISC_TRUE;
 		break;
 
@@ -859,6 +861,8 @@
 	case DNS_KEYALG_DSA:
 	case DNS_KEYALG_NSEC3DSA:
 	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
 		show_progress = ISC_TRUE;
 		/* fall through */
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook	Sat Dec 15 05:39:18 2012 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2011  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -44,6 +44,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2011</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -67,7 +68,6 @@
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-e</option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
       <arg><option>-G</option></arg>
       <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
@@ -116,7 +116,8 @@
           <para>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
@@ -150,7 +151,8 @@
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits.
+            between 1 and 512 bits. Elliptic curve algorithms don't need
+            this parameter.
           </para>
           <para>
             The key size does not need to be specified if using a default
@@ -186,7 +188,8 @@
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
-            default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
+            default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
 	    are NSEC3-capable.
           </para>
         </listitem>
@@ -230,15 +233,6 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-e</term>
-        <listitem>
-          <para>
-            If generating an RSAMD5/RSASHA1 key, use a large exponent.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
         <term>-f <replaceable class="parameter">flag</replaceable></term>
         <listitem>
           <para>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html	Sat Dec 15 05:39:18 2012 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,10 +29,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543591"></a><h2>DESCRIPTION</h2>
+<a name="id2543590"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -46,14 +46,15 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>OPTIONS</h2>
+<a name="id2543608"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
@@ -84,7 +85,8 @@
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits.
+            between 1 and 512 bits. Elliptic curve algorithms don't need
+            this parameter.
           </p>
 <p>
             The key size does not need to be specified if using a default
@@ -111,7 +113,8 @@
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
-            default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
+            default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
 	    are NSEC3-capable.
           </p></dd>
 <dt><span class="term">-C</span></dt>
@@ -136,10 +139,6 @@
             support it defaults to pkcs11; the empty name resets it to
             no engine.
           </p></dd>
-<dt><span class="term">-e</span></dt>
-<dd><p>
-            If generating an RSAMD5/RSASHA1 key, use a large exponent.
-          </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
@@ -257,7 +256,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544201"></a><h2>TIMING OPTIONS</h2>
+<a name="id2544187"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -328,7 +327,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544391"></a><h2>GENERATED KEYS</h2>
+<a name="id2544377"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -374,7 +373,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544473"></a><h2>EXAMPLE</h2>
+<a name="id2544459"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -395,7 +394,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544585"></a><h2>SEE ALSO</h2>
+<a name="id2544571"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -404,7 +403,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544616"></a><h2>AUTHOR</h2>
+<a name="id2544602"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-settime.c,v 1.3.4.1 2012/06/05 21:15:18 bouyer Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.3.4.2 2012/12/15 05:39:23 riz Exp $	*/
 
 /*
- * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +40,7 @@
 
 #include <dns/keyvalues.h>
 #include <dns/result.h>
+#include <dns/log.h>
 
 #include <dst/dst.h>
 
@@ -155,6 +156,7 @@
 	isc_boolean_t	force = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
+	isc_log_t       *log = NULL;
 
 	if (argc == 1)
 		usage();
@@ -163,6 +165,8 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
+	setup_logging(verbose, mctx, &log);
+
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
@@ -595,6 +599,7 @@
 	cleanup_entropy(&ectx);
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
+	cleanup_logging(&log);
 	isc_mem_free(mctx, directory);
 	isc_mem_destroy(&mctx);
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.5.4.1 2012/06/05 21:15:17 bouyer Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.5.4.2 2012/12/15 05:39:23 riz Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -191,10 +191,6 @@
 static void
 sign(isc_task_t *task, isc_event_t *event);
 
-#define check_dns_dbiterator_current(result) \
-	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
-		     "dns_dbiterator_current()")
-
 static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 	dns_rdataset_t rds;
@@ -1000,26 +996,6 @@
 }
 
 static isc_boolean_t
-delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
-	dns_rdataset_t nsset;
-	isc_result_t result;
-
-	if (dns_name_equal(name, gorigin))
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nsset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns,
-				     0, 0, &nsset, NULL);
-	if (dns_rdataset_isassociated(&nsset)) {
-		if (ttlp != NULL)
-			*ttlp = nsset.ttl;
-		dns_rdataset_disassociate(&nsset);
-	}
-
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-static isc_boolean_t
 secure(dns_name_t *name, dns_dbnode_t *node) {
 	dns_rdataset_t dsset;
 	isc_result_t result;
@@ -1054,7 +1030,7 @@
 	/*
 	 * Determine if this is a delegation point.
 	 */
-	if (delegation(name, node, NULL))
+	if (is_delegation(gdb, gversion, gorigin, name, node, NULL))
 		isdelegation = ISC_TRUE;
 
 	/*
@@ -1387,453 +1363,6 @@
 	dns_dbiterator_destroy(&gdbiter);
 }
 
-static isc_boolean_t
-goodsig(dns_rdata_t *sigrdata, dns_name_t *name, dns_rdataset_t *keyrdataset,
-	dns_rdataset_t *rdataset)
-{
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	dns_rdata_tostruct(sigrdata, &sig, NULL);
-
-	for (result = dns_rdataset_first(keyrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(keyrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(keyrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &key, NULL);
-		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
-						 &dstkey);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-		if (sig.algorithm != key.algorithm ||
-		    sig.keyid != dst_key_id(dstkey) ||
-		    !dns_name_equal(&sig.signer, gorigin)) {
-			dst_key_free(&dstkey);
-			continue;
-		}
-		result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
-					   mctx, sigrdata);
-		dst_key_free(&dstkey);
-		if (result == ISC_R_SUCCESS)
-			return(ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node,
-	  dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms,
-	  unsigned char *bad_algorithms)
-{
-	unsigned char set_algorithms[256];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char algbuf[80];
-	char typebuf[80];
-	dns_rdataset_t sigrdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-	int i;
-
-	dns_rdataset_init(&sigrdataset);
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &sigrdataset);
-		if (sigrdataset.type == dns_rdatatype_rrsig &&
-		    sigrdataset.covers == rdataset->type)
-			break;
-		dns_rdataset_disassociate(&sigrdataset);
-	}
-	if (result != ISC_R_SUCCESS) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		type_format(rdataset->type, typebuf, sizeof(typebuf));
-		fprintf(stderr, "no signatures for %s/%s\n", namebuf, typebuf);
-		for (i = 0; i < 256; i++)
-			if (ksk_algorithms[i] != 0)
-				bad_algorithms[i] = 1;
-		return;
-	}
-
-	memset(set_algorithms, 0, sizeof(set_algorithms));
-	for (result = dns_rdataset_first(&sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&sigrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_rrsig_t sig;
-
-		dns_rdataset_current(&sigrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &sig, NULL);
-		if (rdataset->ttl != sig.originalttl) {
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			type_format(rdataset->type, typebuf, sizeof(typebuf));
-			fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
-				namebuf, typebuf, sig.keyid);
-			continue;
-		}
-		if ((set_algorithms[sig.algorithm] != 0) ||
-		    (ksk_algorithms[sig.algorithm] == 0))
-			continue;
-		if (goodsig(&rdata, name, keyrdataset, rdataset))
-			set_algorithms[sig.algorithm] = 1;
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (memcmp(set_algorithms, ksk_algorithms, sizeof(set_algorithms))) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		type_format(rdataset->type, typebuf, sizeof(typebuf));
-		for (i = 0; i < 256; i++)
-			if ((ksk_algorithms[i] != 0) &&
-			    (set_algorithms[i] == 0)) {
-				dns_secalg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "Missing %s signature for "
-					"%s %s\n", algbuf, namebuf, typebuf);
-				bad_algorithms[i] = 1;
-			}
-	}
-	dns_rdataset_disassociate(&sigrdataset);
-}
-
-static void
-verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation,
-	   dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms,
-	   unsigned char *bad_algorithms)
-{
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	dns_rdataset_init(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_rrsig &&
-		    rdataset.type != dns_rdatatype_dnskey &&
-		    (!delegation || rdataset.type == dns_rdatatype_ds ||
-		     rdataset.type == dns_rdatatype_nsec)) {
-			verifyset(&rdataset, name, node, keyrdataset,
-				  ksk_algorithms, bad_algorithms);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-/*%
- * Verify that certain things are sane:
- *
- *   The apex has a DNSKEY RRset with at least one KSK, and at least
- *   one ZSK if the -x flag was not used.
- *
- *   The DNSKEY record was signed with at least one of the KSKs in
- *   the DNSKEY RRset.
- *
- *   The rest of the zone was signed with at least one of the ZSKs
- *   present in the DNSKEY RRset.
- */
-static void
-verifyzone(void) {
-	char algbuf[80];
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t keyset, soaset;
-	dns_rdataset_t keysigs, soasigs;
-	int i;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t first = ISC_TRUE;
-	isc_boolean_t goodksk = ISC_FALSE;
-	isc_result_t result;
-	unsigned char revoked_ksk[256];
-	unsigned char revoked_zsk[256];
-	unsigned char standby_ksk[256];
-	unsigned char standby_zsk[256];
-	unsigned char ksk_algorithms[256];
-	unsigned char zsk_algorithms[256];
-	unsigned char bad_algorithms[256];
-
-	if (disable_zone_check)
-		return;
-
-	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&keyset);
-	dns_rdataset_init(&keysigs);
-	dns_rdataset_init(&soaset);
-	dns_rdataset_init(&soasigs);
-
-	result = dns_db_findrdataset(gdb, node, gversion,
-				     dns_rdatatype_dnskey,
-				     0, 0, &keyset, &keysigs);
-	if (result != ISC_R_SUCCESS)
-		fatal("Zone contains no DNSSEC keys\n");
-
-	result = dns_db_findrdataset(gdb, node, gversion,
-				     dns_rdatatype_soa,
-				     0, 0, &soaset, &soasigs);
-	dns_db_detachnode(gdb, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("Zone contains no SOA record\n");
-
-	if (!dns_rdataset_isassociated(&keysigs))
-		fatal("DNSKEY is not signed (keys offline or inactive?)\n");
-
-	if (!dns_rdataset_isassociated(&soasigs))
-		fatal("SOA is not signed (keys offline or inactive?)\n");
-
-	memset(revoked_ksk, 0, sizeof(revoked_ksk));
-	memset(revoked_zsk, 0, sizeof(revoked_zsk));
-	memset(standby_ksk, 0, sizeof(standby_ksk));
-	memset(standby_zsk, 0, sizeof(standby_zsk));
-	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
-	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
-	memset(bad_algorithms, 0, sizeof(bad_algorithms));
-
-	/*
-	 * Check that the DNSKEY RR has at least one self signing KSK
-	 * and one ZSK per algorithm in it (or, if -x was used, one
-	 * self-signing KSK).
-	 */
-	for (result = dns_rdataset_first(&keyset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&keyset)) {
-		dns_rdataset_current(&keyset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		check_result(result, "dns_rdata_tostruct");
-
-		if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0)
-			;
-		else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			    !dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
-						  &keysigs, ISC_FALSE,
-						  mctx)) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				char buffer[1024];
-				isc_buffer_t buf;
-
-				dns_name_format(gorigin, namebuf,
-						sizeof(namebuf));
-				isc_buffer_init(&buf, buffer, sizeof(buffer));
-				result = dns_rdata_totext(&rdata, NULL, &buf);
-				check_result(result, "dns_rdata_totext");
-				fatal("revoked KSK is not self signed:\n"
-				      "%s DNSKEY %.*s", namebuf,
-				      (int)isc_buffer_usedlength(&buf), buffer);
-			}
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			     revoked_ksk[dnskey.algorithm] != 255)
-				revoked_ksk[dnskey.algorithm]++;
-			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
-				 revoked_zsk[dnskey.algorithm] != 255)
-				revoked_zsk[dnskey.algorithm]++;
-		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
-			if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
-					      &keysigs, ISC_FALSE, mctx)) {
-				if (ksk_algorithms[dnskey.algorithm] != 255)
-					ksk_algorithms[dnskey.algorithm]++;
-				goodksk = ISC_TRUE;
-			} else {
-				if (standby_ksk[dnskey.algorithm] != 255)
-					standby_ksk[dnskey.algorithm]++;
-			}
-		} else if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
-						&keysigs, ISC_FALSE,
-						mctx)) {
-			if (zsk_algorithms[dnskey.algorithm] != 255)
-				zsk_algorithms[dnskey.algorithm]++;
-		} else if (dns_dnssec_signs(&rdata, gorigin, &soaset,
-					    &soasigs, ISC_FALSE, mctx)) {
-			if (zsk_algorithms[dnskey.algorithm] != 255)
-				zsk_algorithms[dnskey.algorithm]++;
-		} else {
-			if (standby_zsk[dnskey.algorithm] != 255)
-				standby_zsk[dnskey.algorithm]++;
-		}
-		dns_rdata_freestruct(&dnskey);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&keysigs);
-	dns_rdataset_disassociate(&soaset);
-	dns_rdataset_disassociate(&soasigs);
-
-	if (!goodksk)
-		fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
-		      "key with the KSK flag set, or use '-P'.");
-
-	fprintf(stderr, "Verifying the zone using the following algorithms:");
-	for (i = 0; i < 256; i++) {
-		if (ksk_algorithms[i] != 0) {
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, " %s", algbuf);
-		}
-	}
-	fprintf(stderr, ".\n");
-
-	if (!ignore_kskflag && !keyset_kskonly) {
-		for (i = 0; i < 256; i++) {
-			/*
-			 * The counts should both be zero or both be non-zero.
-			 * Mark the algorithm as bad if this is not met.
-			 */
-			if ((ksk_algorithms[i] != 0) ==
-			    (zsk_algorithms[i] != 0))
-				continue;
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, "Missing %s for algorithm %s\n",
-				(ksk_algorithms[i] != 0)
-				   ? "ZSK"
-				   : "self signing KSK",
-				algbuf);
-			bad_algorithms[i] = 1;
-		}
-	}
-
-	/*
-	 * Check that all the other records were signed by keys that are
-	 * present in the DNSKEY RRSET.
-	 */
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&fnextname);
-	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
-	zonecut = NULL;
-
-	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		isc_boolean_t isdelegation = ISC_FALSE;
-
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		if (!dns_name_issubdomain(name, gorigin)) {
-			dns_db_detachnode(gdb, &node);
-			result = dns_dbiterator_next(dbiter);
-			if (result == ISC_R_NOMORE)
-				done = ISC_TRUE;
-			else
-				check_result(result, "dns_dbiterator_next()");
-			continue;
-		}
-		if (delegation(name, node, NULL)) {
-			zonecut = dns_fixedname_name(&fzonecut);
-			dns_name_copy(name, zonecut, NULL);
-			isdelegation = ISC_TRUE;
-		}
-		verifynode(name, node, isdelegation, &keyset,
-			   ksk_algorithms, bad_algorithms);
-		result = dns_dbiterator_next(dbiter);
-		nextnode = NULL;
-		while (result == ISC_R_SUCCESS) {
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			check_dns_dbiterator_current(result);
-			if (!dns_name_issubdomain(nextname, gorigin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut)))
-			{
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			dns_db_detachnode(gdb, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			done = ISC_TRUE;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		dns_db_detachnode(gdb, &node);
-	}
-
-	dns_dbiterator_destroy(&dbiter);
-
-	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter) ) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		verifynode(name, node, ISC_FALSE, &keyset,
-			   ksk_algorithms, bad_algorithms);
-		dns_db_detachnode(gdb, &node);
-	}
-	dns_dbiterator_destroy(&dbiter);
-
-	dns_rdataset_disassociate(&keyset);
-
-	/*
-	 * If we made it this far, we have what we consider a properly signed
-	 * zone.  Set the good flag.
-	 */
-	for (i = 0; i < 256; i++) {
-		if (bad_algorithms[i] != 0) {
-			if (first)
-				fprintf(stderr, "The zone is not fully signed "
-					"for the following algorithms:");
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, " %s", algbuf);
-			first = ISC_FALSE;
-		}
-	}
-	if (!first) {
-		fprintf(stderr, ".\n");
-		fatal("DNSSEC completeness test failed.");
-	}
-
-	if (goodksk || ignore_kskflag) {
-		/*
-		 * Print the success summary.
-		 */
-		fprintf(stderr, "Zone signing complete:\n");
-		for (i = 0; i < 256; i++) {
-			if ((ksk_algorithms[i] != 0) ||
-			    (standby_ksk[i] != 0) ||
-			    (revoked_zsk[i] != 0) ||
-			    (zsk_algorithms[i] != 0) ||
-			    (standby_zsk[i] != 0) ||
-			    (revoked_zsk[i] != 0)) {
-				dns_secalg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "Algorithm: %s: KSKs: "
-					"%u active, %u stand-by, %u revoked\n",
-					algbuf, ksk_algorithms[i],
-					standby_ksk[i], revoked_ksk[i]);
-				fprintf(stderr, "%*sZSKs: "
-					"%u active, %u %s, %u revoked\n",
-					(int) strlen(algbuf) + 13, "",
-					zsk_algorithms[i],
-					standby_zsk[i],
-					keyset_kskonly ? "present" : "stand-by",
-					revoked_zsk[i]);
-			}
-		}
-	}
-}
-
 /*%
  * Sign the apex of the zone.
  * Note the origin may not be the first node if there are out of zone
@@ -1931,7 +1460,7 @@
 			if (dns_name_issubdomain(name, gorigin) &&
 			    (zonecut == NULL ||
 			     !dns_name_issubdomain(name, zonecut))) {
-				if (delegation(name, node, NULL)) {
+				if (is_delegation(gdb, gversion, gorigin, name, node, NULL)) {
 					dns_fixedname_init(&fzonecut);
 					zonecut = dns_fixedname_name(&fzonecut);
 					dns_name_copy(name, zonecut, NULL);
@@ -2189,7 +1718,7 @@
 		if (dns_name_equal(name, gorigin))
 			remove_records(node, dns_rdatatype_nsec3param);
 
-		if (delegation(name, node, &nsttl)) {
+		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 			if (generateds)
@@ -2624,7 +2153,9 @@
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			if (delegation(nextname, nextnode, &nsttl)) {
+			if (is_delegation(gdb, gversion, gorigin,
+					  nextname, nextnode, &nsttl))
+			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
 				if (generateds)
@@ -2752,7 +2283,9 @@
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			if (delegation(nextname, nextnode, NULL)) {
+			if (is_delegation(gdb, gversion, gorigin,
+							  nextname, nextnode, NULL))
+			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
 				if (OPTOUT(nsec3flags) &&
@@ -3471,9 +3004,10 @@
 	isc_boolean_t set_salt = ISC_FALSE;
 	isc_boolean_t set_optout = ISC_FALSE;
 	isc_boolean_t set_iter = ISC_FALSE;
+	isc_boolean_t nonsecify = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:n:N:o:O:PpRr:s:ST:tuUv:X:xz"
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:n:N:o:O:PpRr:s:ST:tuUv:X:xzZ:"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3743,6 +3277,10 @@
 			fprintf(stderr, "%s: unhandled option -%c\n",
 				program, isc_commandline_option);
 			exit(1);
+		case 'Z':	/* Undocumented test options */
+			if (!strcmp(isc_commandline_argument, "nonsecify"))
+				nonsecify = ISC_TRUE;
+			break;
 		}
 	}
 
@@ -3993,11 +3531,13 @@
 
 	remove_duplicates();
 
+	if (!nonsecify) {
 	if (IS_NSEC3)
 		nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,
 			 &hashlist);
 	else
 		nsecify();
+	}
 
 	if (!nokeys) {
 		writeset("dsset-", dns_rdatatype_ds);
@@ -4021,7 +3561,10 @@
 		result = isc_file_mktemplate(output, tempfile, tempfilelen);
 		check_result(result, "isc_file_mktemplate");
 
+		if (outputformat == dns_masterformat_text)
 		result = isc_file_openunique(tempfile, &fp);
+		else
+			result = isc_file_bopenunique(tempfile, &fp);
 		if (result != ISC_R_SUCCESS)
 			fatal("failed to open temporary output file: %s",
 			      isc_result_totext(result));
@@ -4084,9 +3627,12 @@
 	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
 	postsign();
 	TIME_NOW(&sign_finish);
-	verifyzone();
-
-	if (outputformat == dns_masterformat_raw) {
+
+	if (!disable_zone_check)
+		verifyzone(gdb, gversion, gorigin, mctx,
+			   ignore_kskflag, keyset_kskonly);
+
+	if (outputformat != dns_masterformat_text) {
 		dns_masterrawheader_t header;
 		dns_master_initrawheader(&header);
 		if (rawversion == 0U)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.8	Sat Dec 15 05:39:18 2012 +0000
@@ -0,0 +1,99 @@
+.\"	$NetBSD: dnssec-verify.8,v 1.2.2.2 2012/12/15 05:39:24 riz Exp $
+.\"
+.\" Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" Id
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-verify
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: April 12, 2012
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-VERIFY" "8" "April 12, 2012" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-verify \- DNSSEC zone verification tool
+.SH "SYNOPSIS"
+.HP 14
+\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-verify\fR
+verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
+.SH "OPTIONS"
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class of the zone.
+.RE
+.PP
+\-I \fIinput\-format\fR
+.RS 4
+The format of the input zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently. The use of this option does not make much sense for non\-dynamic zones.
+.RE
+.PP
+\-o \fIorigin\fR
+.RS 4
+The zone origin. If not specified, the name of the zone file is assumed to be the origin.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-x
+.RS 4
+Only verify that the DNSKEY RRset is signed with key\-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys. This corresponds to the
+\fB\-x\fR
+option in
+\fBdnssec\-signzone\fR.
+.RE
+.PP
+\-z
+.RS 4
+Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.
+.sp
+With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes. This corresponds to the
+\fB\-z\fR
+option in
+\fBdnssec\-signzone\fR.
+.RE
+.PP
+zonefile
+.RS 4
+The file containing the zone to be signed.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 4033.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Sat Dec 15 05:39:18 2012 +0000
@@ -0,0 +1,327 @@
+/*	$NetBSD: dnssec-verify.c,v 1.2.2.2 2012/12/15 05:39:24 riz Exp $	*/
+
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Id: dnssec-verify.c,v 1.1.2.1 2011/03/16 06:37:51 each Exp  */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/base32.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-verify";
+int verbose;
+
+static isc_stdtime_t now;
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+static dns_masterformat_t inputformat = dns_masterformat_text;
+static dns_db_t *gdb;			/* The database */
+static dns_dbversion_t *gversion;	/* The database version */
+static dns_rdataclass_t gclass;		/* The class */
+static dns_name_t *gorigin;		/* The database origin */
+static isc_boolean_t ignore_kskflag = ISC_FALSE;
+static isc_boolean_t keyset_kskonly = ISC_FALSE;
+
+/*%
+ * Load the zone file from disk
+ */
+static void
+loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
+	isc_buffer_t b;
+	int len;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	len = strlen(origin);
+	isc_buffer_init(&b, origin, len);
+	isc_buffer_add(&b, len);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed converting name '%s' to dns format: %s",
+		      origin, isc_result_totext(result));
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       rdclass, 0, NULL, db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load2(*db, file, inputformat);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		fatal("failed loading zone from '%s': %s",
+		      file, isc_result_totext(result));
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-v debuglevel (0)\n");
+	fprintf(stderr, "\t-o origin:\n");
+	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
+	fprintf(stderr, "\t-I format:\n");
+	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
+	fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
+			"not ZSKs\n");
+	fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
+	exit(0);
+}
+
+int
+main(int argc, char *argv[]) {
+	char *origin = NULL, *file = NULL;
+	char *inputformatstr = NULL;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
+	char *classname = NULL;
+	dns_rdataclass_t rdclass;
+	char ch, *endp;
+
+#define CMDLINE_FLAGS \
+	"m:o:I:c:E:v:xz"
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			if (strcasecmp(isc_commandline_argument, "size") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+	check_result(isc_app_start(), "isc_app_start");
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
+
+	dns_result_register();
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+
+		case 'h':
+			usage();
+			break;
+
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'm':
+			break;
+
+		case 'o':
+			origin = isc_commandline_argument;
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		case 'x':
+			keyset_kskonly = ISC_TRUE;
+			break;
+
+		case 'z':
+			ignore_kskflag = ISC_TRUE;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			usage();
+			break;
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not create hash context");
+
+	result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+
+	isc_stdtime_get(&now);
+
+	rdclass = strtoclass(classname);
+
+	setup_logging(verbose, mctx, &log);
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage();
+
+	file = argv[0];
+
+	argc -= 1;
+	argv += 1;
+
+	if (origin == NULL)
+		origin = file;
+
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0)
+			inputformat = dns_masterformat_text;
+		else if (strcasecmp(inputformatstr, "raw") == 0)
+			inputformat = dns_masterformat_raw;
+		else
+			fatal("unknown file format: %s\n", inputformatstr);
+	}
+
+	gdb = NULL;
+	fprintf(stderr, "Loading zone '%s' from file '%s'\n", origin, file);
+	loadzone(file, origin, rdclass, &gdb);
+	gorigin = dns_db_origin(gdb);
+	gclass = dns_db_class(gdb);
+
+	gversion = NULL;
+	result = dns_db_newversion(gdb, &gversion);
+	check_result(result, "dns_db_newversion()");
+
+	verifyzone(gdb, gversion, gorigin, mctx,
+		   ignore_kskflag, keyset_kskonly);
+
+	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
+	dns_db_detach(&gdb);
+
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	isc_hash_destroy();
+	cleanup_entropy(&ectx);
+	dns_name_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	(void) isc_app_finish();
+
+	return (0);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook	Sat Dec 15 05:39:18 2012 +0000
@@ -0,0 +1,185 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- Id: dnssec-verify.docbook,v 1.52 2011/12/22 07:32:40 each Exp  -->
+<refentry id="man.dnssec-verify">
+  <refentryinfo>
+    <date>April 12, 2012</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-verify</application></refentrytitle>
+   <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-verify</application></refname>
+    <refpurpose>DNSSEC zone verification tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2012</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-verify</command>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-x</option></arg>
+      <arg><option>-z</option></arg>
+      <arg choice="req">zonefile</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dnssec-verify</command>
+      verifies that a zone is fully signed for each algorithm found
+      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
+      chains are complete.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the DNS class of the zone.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">input-format</replaceable></term>
+        <listitem>
+          <para>
+            The format of the input zone file.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be verified independently.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">origin</replaceable></term>
+        <listitem>
+          <para>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-x</term>
+        <listitem>
+          <para>
+            Only verify that the DNSKEY RRset is signed with key-signing
+            keys.  Without this flag, it is assumed that the DNSKEY RRset
+            will be signed by all active keys.  When this flag is set,
+            it will not be an error if the DNSKEY RRset is not signed
+            by zone-signing keys.  This corresponds to the <option>-x</option>
+            option in <command>dnssec-signzone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-z</term>
+	<listitem>
+	  <para>
+	    Ignore the KSK flag on the keys when determining whether
+            the zone if correctly signed.  Without this flag it is
+	    assumed that there will be a non-revoked, self-signed
+	    DNSKEY with the KSK flag set for each algorithm and
+	    that RRsets other than DNSKEY RRset will be signed with
+            a different DNSKEY without the KSK flag set.
+	  </para>
+	  <para>
+	    With this flag set, we only require that for each algorithm,
+            there will be at least one non-revoked, self-signed DNSKEY,
+            regardless of the KSK flag state, and that other RRsets
+	    will be signed by a non-revoked key for the same algorithm
+            that includes the self-signed key; the same key may be used
+            for both purposes.  This corresponds to the <option>-z</option>
+            option in <command>dnssec-signzone</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonefile</term>
+        <listitem>
+          <para>
+            The file containing the zone to be signed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 4033</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.html	Sat Dec 15 05:39:18 2012 +0000
@@ -0,0 +1,118 @@
+<!--
+ - Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- Id -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-verify</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-verify"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-verify</strong></span>
+      verifies that a zone is fully signed for each algorithm found
+      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
+      chains are complete.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543402"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class of the zone.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+            The format of the input zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be verified independently.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </p></dd>
+<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
+<dd><p>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+            Only verify that the DNSKEY RRset is signed with key-signing
+            keys.  Without this flag, it is assumed that the DNSKEY RRset
+            will be signed by all active keys.  When this flag is set,
+            it will not be an error if the DNSKEY RRset is not signed
+            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
+            option in <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+<p>
+	    Ignore the KSK flag on the keys when determining whether
+            the zone if correctly signed.  Without this flag it is
+	    assumed that there will be a non-revoked, self-signed
+	    DNSKEY with the KSK flag set for each algorithm and
+	    that RRsets other than DNSKEY RRset will be signed with
+            a different DNSKEY without the KSK flag set.
+	  </p>
+<p>
+	    With this flag set, we only require that for each algorithm,
+            there will be at least one non-revoked, self-signed DNSKEY,
+            regardless of the KSK flag state, and that other RRsets
+	    will be signed by a non-revoked key for the same algorithm
+            that includes the self-signed key; the same key may be used
+            for both purposes.  This corresponds to the <code class="option">-z</code>
+            option in <span><strong class="command">dnssec-signzone</strong></span>.
+	  </p>
+</dd>
+<dt><span class="term">zonefile</span></dt>
+<dd><p>
+            The file containing the zone to be signed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543543"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 4033</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543637"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.c,v 1.2.6.1 2012/06/05 21:15:17 bouyer Exp $	*/
+/*	$NetBSD: dnssectool.c,v 1.2.6.2 2012/12/15 05:39:24 riz Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,9 +29,11 @@
 
 #include <stdlib.h>
 
+#include <isc/base32.h>
 #include <isc/buffer.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
+#include <isc/heap.h>
 #include <isc/list.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -39,12 +41,19 @@
 #include <isc/util.h>
 #include <isc/print.h>
 
+#include <dns/db.h>
+#include <dns/dbiterator.h>
 #include <dns/dnssec.h>
+#include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/rdatastruct.h>
 #include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
@@ -52,6 +61,18 @@
 
 #include "dnssectool.h"
 
+static isc_heap_t *expected_chains, *found_chains;
+
+struct nsec3_chain_fixed {
+	isc_uint8_t	hash;
+	isc_uint8_t	salt_length;
+	isc_uint8_t	next_length;
+	isc_uint16_t	iterations;
+	/* unsigned char salt[0]; */
+	/* unsigned char owner[0]; */
+	/* unsigned char next[0]; */
+};
+
 extern int verbose;
 extern const char *program;
 
@@ -469,3 +490,1240 @@
 
 	return (conflict);
 }
+
+isc_boolean_t
+is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
+{
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, origin))
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
+				     0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL)
+			*ttlp = nsset.ttl;
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+static isc_boolean_t
+goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
+	dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx)
+{
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	dns_rdata_tostruct(sigrdata, &sig, NULL);
+
+	for (result = dns_rdataset_first(keyrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(keyrdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &key, NULL);
+		result = dns_dnssec_keyfromrdata(origin, &rdata, mctx,
+						 &dstkey);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+		if (sig.algorithm != key.algorithm ||
+		    sig.keyid != dst_key_id(dstkey) ||
+		    !dns_name_equal(&sig.signer, origin)) {
+			dst_key_free(&dstkey);
+			continue;
+		}
+		result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
+					   mctx, sigrdata);
+		dst_key_free(&dstkey);
+		if (result == ISC_R_SUCCESS)
+			return(ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+verifynsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_dbnode_t *node, dns_name_t *nextname)
+{
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char nextbuf[DNS_NAME_FORMATSIZE];
+	char found[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t tmprdata = DNS_RDATA_INIT;
+	dns_rdata_nsec_t nsec;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fprintf(stderr, "Missing NSEC record for %s\n", namebuf);
+		goto failure;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first()");
+
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	check_result(result, "dns_rdata_tostruct()");
+	/* Check bit next name is consistent */
+	if (!dns_name_equal(&nsec.next, nextname)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(nextname, nextbuf, sizeof(nextbuf));
+		dns_name_format(&nsec.next, found, sizeof(found));
+		fprintf(stderr, "Bad record NSEC record for %s, next name "
+				"mismatch (expected:%s, found:%s)\n", namebuf,
+				nextbuf, found);
+		goto failure;
+	}
+	/* Check bit map is consistent */
+	result = dns_nsec_buildrdata(db, ver, node, nextname, buffer,
+				     &tmprdata);
+	check_result(result, "dns_nsec_buildrdata()");
+	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fprintf(stderr, "Bad record NSEC record for %s, bit map "
+				"mismatch\n", namebuf);
+		goto failure;
+	}
+	result = dns_rdataset_next(&rdataset);
+	if (result != ISC_R_NOMORE) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fprintf(stderr, "Multipe NSEC records for %s\n", namebuf);
+		goto failure;
+
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_R_SUCCESS);
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (ISC_R_FAILURE);
+}
+
+static void
+check_no_rrsig(dns_db_t *db, dns_dbversion_t *ver, dns_rdataset_t *rdataset,
+	       dns_name_t *name, dns_dbnode_t *node)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[80];
+	dns_rdataset_t sigrdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &sigrdataset);
+		if (sigrdataset.type == dns_rdatatype_rrsig &&
+		    sigrdataset.covers == rdataset->type)
+			break;
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (result == ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		type_format(rdataset->type, typebuf, sizeof(typebuf));
+		fprintf(stderr, "Warning: Found unexpected signatures for "
+			"%s/%s\n", namebuf, typebuf);
+	}
+	if (dns_rdataset_isassociated(&sigrdataset))
+		dns_rdataset_disassociate(&sigrdataset);
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+static isc_boolean_t
+chain_compare(void *arg1, void *arg2) {
+	struct nsec3_chain_fixed *e1 = arg1, *e2 = arg2;
+	size_t len;
+
+	/*
+	 * Do each element in turn to get a stable sort.
+	 */
+	if (e1->hash < e2->hash)
+		return (ISC_TRUE);
+	if (e1->hash > e2->hash)
+		return (ISC_FALSE);
+	if (e1->iterations < e2->iterations)
+		return (ISC_TRUE);
+	if (e1->iterations > e2->iterations)
+		return (ISC_FALSE);
+	if (e1->salt_length < e2->salt_length)
+		return (ISC_TRUE);
+	if (e1->salt_length > e2->salt_length)
+		return (ISC_FALSE);
+	if (e1->next_length < e2->next_length)
+		return (ISC_TRUE);
+	if (e1->next_length > e2->next_length)
+		return (ISC_FALSE);
+	len = e1->salt_length + 2 * e1->next_length;
+	if (memcmp(e1 + 1, e2 + 1, len) < 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static isc_boolean_t
+chain_equal(struct nsec3_chain_fixed *e1, struct nsec3_chain_fixed *e2) {
+	size_t len;
+
+	if (e1->hash != e2->hash)
+		return (ISC_FALSE);
+	if (e1->iterations != e2->iterations)
+		return (ISC_FALSE);
+	if (e1->salt_length != e2->salt_length)
+		return (ISC_FALSE);
+	if (e1->next_length != e2->next_length)
+		return (ISC_FALSE);
+	len = e1->salt_length + 2 * e1->next_length;
+	if (memcmp(e1 + 1, e2 + 1, len) != 0)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+static isc_result_t
+record_nsec3(const unsigned char *rawhash, const dns_rdata_nsec3_t *nsec3,
+	     isc_mem_t *mctx, isc_heap_t *chains)
+{
+	struct nsec3_chain_fixed *element;
+	size_t len;
+	unsigned char *cp;
+	isc_result_t result;
+
+	len = sizeof(*element) + nsec3->next_length * 2 + nsec3->salt_length;
+
+	element = isc_mem_get(mctx, len);
+	if (element == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(element, 0, len);
+	element->hash = nsec3->hash;
+	element->salt_length = nsec3->salt_length;
+	element->next_length = nsec3->next_length;
+	element->iterations = nsec3->iterations;
+	cp = (unsigned char *)(element + 1);
+	memcpy(cp, nsec3->salt, nsec3->salt_length);
+	cp += nsec3->salt_length;
+	memcpy(cp, rawhash, nsec3->next_length);
+	cp += nsec3->next_length;
+	memcpy(cp, nsec3->next, nsec3->next_length);
+	result = isc_heap_insert(chains, element);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "isc_heap_insert failed: %s\n",
+			isc_result_totext(result));
+		isc_mem_put(mctx, element, len);
+	}
+	return (result);
+}
+
+static isc_result_t
+match_nsec3(dns_name_t *name, isc_mem_t *mctx,
+	    dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
+	    unsigned char types[8192], unsigned int maxtype,
+	    unsigned char *rawhash, size_t rhsize)
+{
+	unsigned char cbm[8244];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+	unsigned int len;
+
+	/*
+	 * Find matching NSEC3 record.
+	 */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		check_result(result, "dns_rdata_tostruct()");
+		if (nsec3.hash == nsec3param->hash &&
+		    nsec3.next_length == rhsize &&
+		    nsec3.iterations == nsec3param->iterations &&
+		    nsec3.salt_length == nsec3param->salt_length &&
+		    memcmp(nsec3.salt, nsec3param->salt,
+			   nsec3param->salt_length) == 0)
+			break;
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fprintf(stderr, "Missing NSEC3 record for %s\n", namebuf);
+		return (result);
+	}
+
+	/*
+	 * Check the type list.
+	 */
+	len = dns_nsec_compressbitmap(cbm, types, maxtype);
+	if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fprintf(stderr, "Bad record NSEC3 record for %s, bit map "
+				"mismatch\n", namebuf);
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Record chain.
+	 */
+	result = record_nsec3(rawhash, &nsec3, mctx, expected_chains);
+	check_result(result, "record_nsec3()");
+
+	/*
+	 * Make sure there is only one NSEC3 record with this set of
+	 * parameters.
+	 */
+	for (result = dns_rdataset_next(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		check_result(result, "dns_rdata_tostruct()");
+		if (nsec3.hash == nsec3param->hash &&
+		    nsec3.iterations == nsec3param->iterations &&
+		    nsec3.salt_length == nsec3param->salt_length &&
+		    memcmp(nsec3.salt, nsec3param->salt,
+			   nsec3.salt_length) == 0) {
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fprintf(stderr, "Multiple NSEC3 records with the "
+				"same parameter set for %s", namebuf);
+			result = DNS_R_DUPLICATE;
+			break;
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static isc_boolean_t
+innsec3params(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *nsec3paramset) {
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(nsec3paramset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(nsec3paramset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(nsec3paramset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		if (nsec3param.flags == 0 &&
+		    nsec3param.hash == nsec3->hash &&
+		    nsec3param.iterations == nsec3->iterations &&
+		    nsec3param.salt_length == nsec3->salt_length &&
+		    memcmp(nsec3param.salt, nsec3->salt,
+			   nsec3->salt_length) == 0)
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+record_found(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+	     dns_name_t *name, dns_dbnode_t *node,
+	     dns_rdataset_t *nsec3paramset)
+{
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	dns_rdata_nsec3_t nsec3;
+	dns_rdataset_t rdataset;
+	dns_label_t hashlabel;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	if (nsec3paramset == NULL || !dns_rdataset_isassociated(nsec3paramset))
+		return (ISC_R_SUCCESS);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	dns_name_getlabel(name, 0, &hashlabel);
+	isc_region_consume(&hashlabel, 1);
+	isc_buffer_init(&b, owner, sizeof(owner));
+	result = isc_base32hex_decoderegion(&hashlabel, &b);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		check_result(result, "dns_rdata_tostruct()");
+		if (nsec3.next_length != isc_buffer_usedlength(&b))
+			continue;
+		/*
+		 * We only care about NSEC3 records that match a NSEC3PARAM
+		 * record.
+		 */
+		if (!innsec3params(&nsec3, nsec3paramset))
+			continue;
+
+		/*
+		 * Record chain.
+		 */
+		result = record_nsec3(owner, &nsec3, mctx, found_chains);
+		check_result(result, "record_nsec3()");
+	}
+
+ cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	    isc_mem_t *mctx, dns_name_t *name, dns_rdata_t *rdata,
+	    isc_boolean_t delegation, unsigned char types[8192],
+	    unsigned int maxtype)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char hashbuf[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_fixedname_t fixed;
+	dns_name_t *hashname;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
+	size_t rhsize = sizeof(rawhash);
+
+	result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+	check_result(result, "dns_rdata_tostruct()");
+
+	if (nsec3param.flags != 0)
+		return (ISC_R_SUCCESS);
+
+	if (!dns_nsec3_supportedhash(nsec3param.hash))
+		return (ISC_R_SUCCESS);
+
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, name, origin,
+				    nsec3param.hash, nsec3param.iterations,
+				    nsec3param.salt, nsec3param.salt_length);
+	check_result(result, "dns_nsec3_hashname()");
+
+	/*
+	 * We don't use dns_db_find() here as it works with the choosen
+	 * nsec3 chain and we may also be called with uncommitted data
+	 * from dnssec-signzone so the secure status of the zone may not
+	 * be up to date.
+	 */
+	dns_rdataset_init(&rdataset);
+	hashname = dns_fixedname_name(&fixed);
+	result = dns_db_findnsec3node(db, hashname, ISC_FALSE, &node);
+	if (result == ISC_R_SUCCESS)
+		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+					     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS &&
+	    (!delegation || dns_nsec_isset(types, dns_rdatatype_ds))) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(hashname, hashbuf, sizeof(hashbuf));
+		fprintf(stderr, "Missing NSEC3 record for %s (%s)\n",
+			namebuf, hashbuf);
+	} else if (result == ISC_R_SUCCESS) {
+		result = match_nsec3(name, mctx, &nsec3param, &rdataset,
+				     types, maxtype, rawhash, rhsize);
+	} else if (result == ISC_R_NOTFOUND && delegation)
+		result = ISC_R_SUCCESS;
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+static isc_result_t
+verifynsec3s(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	     isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *nsec3paramset,
+	     isc_boolean_t delegation, unsigned char types[8192],
+	     unsigned int maxtype)
+{
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(nsec3paramset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(nsec3paramset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(nsec3paramset, &rdata);
+		result = verifynsec3(db, ver, origin, mctx, name, &rdata,
+				     delegation, types, maxtype);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static void
+verifyset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	  isc_mem_t *mctx, dns_rdataset_t *rdataset, dns_name_t *name,
+	  dns_dbnode_t *node, dns_rdataset_t *keyrdataset,
+	  unsigned char *act_algorithms, unsigned char *bad_algorithms)
+{
+	unsigned char set_algorithms[256];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char algbuf[80];
+	char typebuf[80];
+	dns_rdataset_t sigrdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+	int i;
+
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &sigrdataset);
+		if (sigrdataset.type == dns_rdatatype_rrsig &&
+		    sigrdataset.covers == rdataset->type)
+			break;
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		type_format(rdataset->type, typebuf, sizeof(typebuf));
+		fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
+		for (i = 0; i < 256; i++)
+			if (act_algorithms[i] != 0)
+				bad_algorithms[i] = 1;
+		dns_rdatasetiter_destroy(&rdsiter);
+		return;
+	}
+
+	memset(set_algorithms, 0, sizeof(set_algorithms));
+	for (result = dns_rdataset_first(&sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&sigrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_rrsig_t sig;
+
+		dns_rdataset_current(&sigrdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &sig, NULL);
+		if (rdataset->ttl != sig.originalttl) {
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			type_format(rdataset->type, typebuf, sizeof(typebuf));
+			fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
+				namebuf, typebuf, sig.keyid);
+			continue;
+		}
+		if ((set_algorithms[sig.algorithm] != 0) ||
+		    (act_algorithms[sig.algorithm] == 0))
+			continue;
+		if (goodsig(origin, &rdata, name, keyrdataset, rdataset, mctx))
+			set_algorithms[sig.algorithm] = 1;
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (memcmp(set_algorithms, act_algorithms, sizeof(set_algorithms))) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		type_format(rdataset->type, typebuf, sizeof(typebuf));
+		for (i = 0; i < 256; i++)
+			if ((act_algorithms[i] != 0) &&
+			    (set_algorithms[i] == 0)) {
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
+				fprintf(stderr, "No correct %s signature for "
+					"%s %s\n", algbuf, namebuf, typebuf);
+				bad_algorithms[i] = 1;
+			}
+	}
+	dns_rdataset_disassociate(&sigrdataset);
+}
+
+static isc_result_t
+verifynode(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	   isc_mem_t *mctx, dns_name_t *name, dns_dbnode_t *node,
+	   isc_boolean_t delegation, dns_rdataset_t *keyrdataset,
+	   unsigned char *act_algorithms, unsigned char *bad_algorithms,
+	   dns_rdataset_t *nsecset, dns_rdataset_t *nsec3paramset,
+	   dns_name_t *nextname)
+{
+	unsigned char types[8192];
+	unsigned int maxtype = 0;
+	dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result, tresult;
+
+	memset(types, 0, sizeof(types));
+	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	dns_rdataset_init(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		/*
+		 * If we are not at a delegation then everything should be
+		 * signed.  If we are at a delegation then only the DS set
+		 * is signed.  The NS set is not signed at a delegation but
+		 * its existance is recorded in the bit map.  Anything else
+		 * other than NSEC and DS is not signed at a delegation.
+		 */
+		if (rdataset.type != dns_rdatatype_rrsig &&
+		    rdataset.type != dns_rdatatype_dnskey &&
+		    (!delegation || rdataset.type == dns_rdatatype_ds ||
+		     rdataset.type == dns_rdatatype_nsec)) {
+			verifyset(db, ver, origin, mctx, &rdataset,
+				  name, node, keyrdataset,
+				  act_algorithms, bad_algorithms);
+			dns_nsec_setbit(types, rdataset.type, 1);
+			if (rdataset.type > maxtype)
+				maxtype = rdataset.type;
+		} else if (rdataset.type != dns_rdatatype_rrsig &&
+			   rdataset.type != dns_rdatatype_dnskey) {
+			if (rdataset.type == dns_rdatatype_ns)
+				dns_nsec_setbit(types, rdataset.type, 1);
+			check_no_rrsig(db, ver, &rdataset, name, node);
+		} else
+			dns_nsec_setbit(types, rdataset.type, 1);
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = ISC_R_SUCCESS;
+
+	if (nsecset != NULL && dns_rdataset_isassociated(nsecset))
+		result = verifynsec(db, ver, name, node, nextname);
+
+	if (nsec3paramset != NULL && dns_rdataset_isassociated(nsec3paramset)) {
+		tresult = verifynsec3s(db, ver, origin, mctx, name,
+				       nsec3paramset, delegation, types,
+				       maxtype);
+		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+static isc_boolean_t
+is_empty(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result == ISC_R_NOMORE)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static void
+check_no_nsec(dns_name_t *name, dns_dbnode_t *node, dns_db_t *db,
+	      dns_dbversion_t *ver)
+{
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_NOTFOUND) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		fatal("unexpected NSEC RRset at %s\n", namebuf);
+	}
+
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+}
+
+static isc_boolean_t
+newchain(const struct nsec3_chain_fixed *first,
+	 const struct nsec3_chain_fixed *e)
+{
+	if (first->hash != e->hash ||
+	    first->iterations != e->iterations ||
+	    first->salt_length != e->salt_length ||
+	    first->next_length != e->next_length ||
+	    memcmp(first + 1, e + 1, first->salt_length) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static void
+free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) {
+	size_t len;
+
+	len = sizeof(*e) + e->salt_length + 2 * e->next_length;
+	isc_mem_put(mctx, e, len);
+}
+
+static isc_boolean_t
+checknext(const struct nsec3_chain_fixed *first,
+	  const struct nsec3_chain_fixed *e)
+{
+	char buf[512];
+	const unsigned char *d1 = (const unsigned char *)(first + 1);
+	const unsigned char *d2 = (const unsigned char *)(e + 1);
+	isc_buffer_t b;
+	isc_region_t sr;
+
+	d1 += first->salt_length + first->next_length;
+	d2 += e->salt_length;
+
+	if (memcmp(d1, d2, first->next_length) == 0)
+		return (ISC_TRUE);
+
+	DE_CONST(d1 - first->next_length, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	fprintf(stderr, "Break in NSEC3 chain at: %.*s\n",
+		(int) isc_buffer_usedlength(&b), buf);
+
+	DE_CONST(d1, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	fprintf(stderr, "Expected: %.*s\n", (int) isc_buffer_usedlength(&b),
+		buf);
+
+	DE_CONST(d2, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	fprintf(stderr, "Found: %.*s\n", (int) isc_buffer_usedlength(&b), buf);
+
+	return (ISC_FALSE);
+}
+
+#define EXPECTEDANDFOUND "Expected and found NSEC3 chains not equal\n"
+
+static isc_result_t
+verify_nsec3_chains(isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	struct nsec3_chain_fixed *e, *f = NULL;
+	struct nsec3_chain_fixed *first = NULL, *prev = NULL;
+
+	while ((e = isc_heap_element(expected_chains, 1)) != NULL) {
+		isc_heap_delete(expected_chains, 1);
+		if (f == NULL)
+			f = isc_heap_element(found_chains, 1);
+		if (f != NULL) {
+			isc_heap_delete(found_chains, 1);
+
+			/*
+			 * Check that they match.
+			 */
+			if (chain_equal(e, f)) {
+				free_element(mctx, f);
+				f = NULL;
+			} else {
+				if (result == ISC_R_SUCCESS)
+					fprintf(stderr, EXPECTEDANDFOUND);
+				result = ISC_R_FAILURE;
+				/*
+				 * Attempt to resync found_chain.
+				 */
+				while (f != NULL && !chain_compare(e, f)) {
+					free_element(mctx, f);
+					f = isc_heap_element(found_chains, 1);
+					if (f != NULL)
+						isc_heap_delete(found_chains, 1);
+					if (f != NULL && chain_equal(e, f)) {
+						free_element(mctx, f);
+						f = NULL;
+						break;
+					}
+				}
+			}
+		} else if (result == ISC_R_SUCCESS) {
+			fprintf(stderr, EXPECTEDANDFOUND);
+			result = ISC_R_FAILURE;
+		}
+		if (first == NULL || newchain(first, e)) {
+			if (prev != NULL) {
+				if (!checknext(prev, first))
+					result = ISC_R_FAILURE;
+				if (prev != first)
+					free_element(mctx, prev);
+			}
+			if (first != NULL)
+				free_element(mctx, first);
+			prev = first = e;
+			continue;
+		}
+		if (!checknext(prev, e))
+			result = ISC_R_FAILURE;
+		if (prev != first)
+			free_element(mctx, prev);
+		prev = e;
+	}
+	if (prev != NULL) {
+		if (!checknext(prev, first))
+			result = ISC_R_FAILURE;
+		if (prev != first)
+			free_element(mctx, prev);
+	}
+	if (first != NULL)
+		free_element(mctx, first);
+	do {
+		if (f != NULL) {
+			if (result == ISC_R_SUCCESS) {
+				fprintf(stderr, EXPECTEDANDFOUND);
+				result = ISC_R_FAILURE;
+			}
+			free_element(mctx, f);
+		}
+		f = isc_heap_element(found_chains, 1);
+		if (f != NULL)
+			isc_heap_delete(found_chains, 1);
+	} while (f != NULL);
+
+	return (result);
+}
+
+static isc_result_t
+verifyemptynodes(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *nextname,
+		 dns_rdataset_t *nsec3paramset)
+{
+	dns_namereln_t reln;
+	int order;
+	unsigned int labels, nlabels, i;
+	dns_name_t suffix;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+
+	reln = dns_name_fullcompare(name, nextname, &order, &labels);
+	if (order >= 0)
+		return (result);
+
+	nlabels = dns_name_countlabels(nextname);
+
+	if (reln == dns_namereln_commonancestor ||
+	    reln == dns_namereln_contains) {
+		dns_name_init(&suffix, NULL);
+		for (i = labels + 1; i < nlabels; i++) {
+			dns_name_getlabelsequence(nextname, nlabels - i, i,
+						  &suffix);
+			if (nsec3paramset != NULL &&
+			     dns_rdataset_isassociated(nsec3paramset)) {
+				tresult = verifynsec3s(db, ver, origin, mctx,
+						       &suffix, nsec3paramset,
+						       ISC_FALSE, NULL, 0);
+				if (result == ISC_R_SUCCESS &&
+				    tresult != ISC_R_SUCCESS)
+					result = tresult;
+			}
+		}
+	}
+	return (result);
+}
+
+/*%
+ * Verify that certain things are sane:
+ *
+ *   The apex has a DNSKEY record with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
+ *
+ *   The DNSKEY record was signed with at least one of the KSKs in this
+ *   set.
+ *
+ *   The rest of the zone was signed with at least one of the ZSKs
+ *   present in the DNSKEY RRSET.
+ */
+void
+verifyzone(dns_db_t *db, dns_dbversion_t *ver,
+	   dns_name_t *origin, isc_mem_t *mctx,
+	   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly)
+{
+	char algbuf[80];
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t keyset, soaset;
+	dns_rdataset_t keysigs, soasigs;
+	dns_rdataset_t nsecset, nsecsigs;
+	dns_rdataset_t nsec3paramset, nsec3paramsigs;
+	int i;
+	isc_boolean_t done = ISC_FALSE;
+	isc_boolean_t first = ISC_TRUE;
+	isc_boolean_t goodksk = ISC_FALSE;
+	isc_boolean_t goodzsk = ISC_FALSE;
+	isc_result_t result, vresult = ISC_R_UNSET;
+	unsigned char revoked_ksk[256];
+	unsigned char revoked_zsk[256];
+	unsigned char standby_ksk[256];
+	unsigned char standby_zsk[256];
+	unsigned char ksk_algorithms[256];
+	unsigned char zsk_algorithms[256];
+	unsigned char bad_algorithms[256];
+	unsigned char act_algorithms[256];
+
+	result = isc_heap_create(mctx, chain_compare, NULL, 1024,
+				 &expected_chains);
+	check_result(result, "isc_heap_create()");
+	result = isc_heap_create(mctx, chain_compare, NULL, 1024,
+				 &found_chains);
+	check_result(result, "isc_heap_create()");
+
+	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&keysigs);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&nsecsigs);
+	dns_rdataset_init(&nsec3paramset);
+	dns_rdataset_init(&nsec3paramsigs);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     0, 0, &keyset, &keysigs);
+	if (result != ISC_R_SUCCESS)
+		fatal("Zone contains no DNSSEC keys\n");
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
+				     0, 0, &soaset, &soasigs);
+	if (result != ISC_R_SUCCESS)
+		fatal("Zone contains no SOA record\n");
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &nsecset, &nsecsigs);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		fatal("NSEC lookup failed\n");
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, 0, &nsec3paramset, &nsec3paramsigs);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		fatal("NSEC3PARAM lookup failed\n");
+
+	if (!dns_rdataset_isassociated(&keysigs))
+		fatal("DNSKEY is not signed (keys offline or inactive?)\n");
+
+	if (!dns_rdataset_isassociated(&soasigs))
+		fatal("SOA is not signed (keys offline or inactive?)\n");
+
+	if (dns_rdataset_isassociated(&nsecset) &&
+	    !dns_rdataset_isassociated(&nsecsigs))
+		fatal("NSEC is not signed (keys offline or inactive?)\n");
+
+	if (dns_rdataset_isassociated(&nsec3paramset) &&
+	    !dns_rdataset_isassociated(&nsec3paramsigs))
+		fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
+
+	if (!dns_rdataset_isassociated(&nsecset) &&
+	    !dns_rdataset_isassociated(&nsec3paramset))
+		fatal("No valid NSEC/NSEC3 chain for testing\n");
+
+	dns_db_detachnode(db, &node);
+
+	memset(revoked_ksk, 0, sizeof(revoked_ksk));
+	memset(revoked_zsk, 0, sizeof(revoked_zsk));
+	memset(standby_ksk, 0, sizeof(standby_ksk));
+	memset(standby_zsk, 0, sizeof(standby_zsk));
+	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
+	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
+	memset(bad_algorithms, 0, sizeof(bad_algorithms));
+	memset(act_algorithms, 0, sizeof(act_algorithms));
+
+	/*
+	 * Check that the DNSKEY RR has at least one self signing KSK
+	 * and one ZSK per algorithm in it (or, if -x was used, one
+	 * self-signing KSK).
+	 */
+	for (result = dns_rdataset_first(&keyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keyset)) {
+		dns_rdataset_current(&keyset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		check_result(result, "dns_rdata_tostruct");
+
+		if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0)
+			;
+		else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			    !dns_dnssec_selfsigns(&rdata, origin, &keyset,
+						  &keysigs, ISC_FALSE,
+						  mctx)) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char buffer[1024];
+				isc_buffer_t buf;
+
+				dns_name_format(origin, namebuf,
+						sizeof(namebuf));
+				isc_buffer_init(&buf, buffer, sizeof(buffer));
+				result = dns_rdata_totext(&rdata, NULL, &buf);
+				check_result(result, "dns_rdata_totext");
+				fatal("revoked KSK is not self signed:\n"
+				      "%s DNSKEY %.*s", namebuf,
+				      (int)isc_buffer_usedlength(&buf), buffer);
+			}
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			     revoked_ksk[dnskey.algorithm] != 255)
+				revoked_ksk[dnskey.algorithm]++;
+			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
+				 revoked_zsk[dnskey.algorithm] != 255)
+				revoked_zsk[dnskey.algorithm]++;
+		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
+			if (dns_dnssec_selfsigns(&rdata, origin, &keyset,
+						 &keysigs, ISC_FALSE, mctx)) {
+				if (ksk_algorithms[dnskey.algorithm] != 255)
+					ksk_algorithms[dnskey.algorithm]++;
+				goodksk = ISC_TRUE;
+			} else {
+				if (standby_ksk[dnskey.algorithm] != 255)
+					standby_ksk[dnskey.algorithm]++;
+			}
+		} else if (dns_dnssec_selfsigns(&rdata, origin, &keyset,
+						&keysigs, ISC_FALSE, mctx)) {
+			if (zsk_algorithms[dnskey.algorithm] != 255)
+				zsk_algorithms[dnskey.algorithm]++;
+			goodzsk = ISC_TRUE;
+		} else if (dns_dnssec_signs(&rdata, origin, &soaset,
+					    &soasigs, ISC_FALSE, mctx)) {
+			if (zsk_algorithms[dnskey.algorithm] != 255)
+				zsk_algorithms[dnskey.algorithm]++;
+		} else {
+			if (standby_zsk[dnskey.algorithm] != 255)
+				standby_zsk[dnskey.algorithm]++;
+		}
+		dns_rdata_freestruct(&dnskey);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&keysigs);
+	dns_rdataset_disassociate(&soaset);
+	dns_rdataset_disassociate(&soasigs);
+	if (dns_rdataset_isassociated(&nsecsigs))
+		dns_rdataset_disassociate(&nsecsigs);
+	if (dns_rdataset_isassociated(&nsec3paramsigs))
+		dns_rdataset_disassociate(&nsec3paramsigs);
+
+	if (ignore_kskflag ) {
+		if (!goodksk && !goodzsk)
+			fatal("No self-signed DNSKEY found.");
+	} else if (!goodksk)
+		fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
+		      "key with the KSK flag set, or use '-P'.");
+
+	fprintf(stderr, "Verifying the zone using the following algorithms:");
+	for (i = 0; i < 256; i++) {
+		if (ignore_kskflag)
+			act_algorithms[i] = (ksk_algorithms[i] != 0 ||
+					     zsk_algorithms[i] != 0) ? 1 : 0;
+		else
+			act_algorithms[i] = ksk_algorithms[i] != 0 ? 1 : 0;
+		if (act_algorithms[i] != 0) {
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, " %s", algbuf);
+		}
+	}
+	fprintf(stderr, ".\n");
+
+	if (!ignore_kskflag && !keyset_kskonly) {
+		for (i = 0; i < 256; i++) {
+			/*
+			 * The counts should both be zero or both be non-zero.
+			 * Mark the algorithm as bad if this is not met.
+			 */
+			if ((ksk_algorithms[i] != 0) ==
+			    (zsk_algorithms[i] != 0))
+				continue;
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, "Missing %s for algorithm %s\n",
+				(ksk_algorithms[i] != 0)
+				   ? "ZSK"
+				   : "self-signed KSK",
+				algbuf);
+			bad_algorithms[i] = 1;
+		}
+	}
+
+	/*
+	 * Check that all the other records were signed by keys that are
+	 * present in the DNSKEY RRSET.
+	 */
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	result = dns_db_createiterator(db, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		isc_boolean_t isdelegation = ISC_FALSE;
+
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		if (!dns_name_issubdomain(name, origin)) {
+			check_no_nsec(name, node, db, ver);
+			dns_db_detachnode(db, &node);
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE)
+				done = ISC_TRUE;
+			else
+				check_result(result, "dns_dbiterator_next()");
+			continue;
+		}
+		if (is_delegation(db, ver, origin, name, node, NULL)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+			isdelegation = ISC_TRUE;
+		}
+		nextnode = NULL;
+		result = dns_dbiterator_next(dbiter);
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			check_dns_dbiterator_current(result);
+			if (!dns_name_issubdomain(nextname, origin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				check_no_nsec(nextname, nextnode, db, ver);
+				dns_db_detachnode(db, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (is_empty(db, ver, nextnode)) {
+				dns_db_detachnode(db, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			dns_db_detachnode(db, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			done = ISC_TRUE;
+			nextname = origin;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		result = verifynode(db, ver, origin, mctx, name, node,
+				    isdelegation, &keyset, act_algorithms,
+				    bad_algorithms, &nsecset, &nsec3paramset,
+				    nextname);
+		if (vresult == ISC_R_UNSET)
+			vresult = ISC_R_SUCCESS;
+		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+			vresult = result;
+		result = verifyemptynodes(db, ver, origin, mctx, name,
+					  nextname, &nsec3paramset);
+		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+			vresult = result;
+		dns_db_detachnode(db, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
+
+	result = dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter) ) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		result = verifynode(db, ver, origin, mctx, name, node,
+				    ISC_FALSE, &keyset, act_algorithms,
+				    bad_algorithms, NULL, NULL, NULL);
+		check_result(result, "verifynode");
+		record_found(db, ver, mctx, name, node, &nsec3paramset);
+		dns_db_detachnode(db, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	dns_rdataset_disassociate(&keyset);
+	if (dns_rdataset_isassociated(&nsecset))
+		dns_rdataset_disassociate(&nsecset);
+	if (dns_rdataset_isassociated(&nsec3paramset))
+		dns_rdataset_disassociate(&nsec3paramset);
+
+	result = verify_nsec3_chains(mctx);
+	if (vresult == ISC_R_UNSET)
+		vresult = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS && vresult == ISC_R_SUCCESS)
+		vresult = result;
+	isc_heap_destroy(&expected_chains);
+	isc_heap_destroy(&found_chains);
+
+	/*
+	 * If we made it this far, we have what we consider a properly signed
+	 * zone.  Set the good flag.
+	 */
+	for (i = 0; i < 256; i++) {
+		if (bad_algorithms[i] != 0) {
+			if (first)
+				fprintf(stderr, "The zone is not fully signed "
+					"for the following algorithms:");
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, " %s", algbuf);
+			first = ISC_FALSE;
+		}
+	}
+	if (!first) {
+		fprintf(stderr, ".\n");
+		fatal("DNSSEC completeness test failed.");
+	}
+
+	if (vresult != ISC_R_SUCCESS)
+		fatal("DNSSEC completeness test failed (%s).",
+		      dns_result_totext(vresult));
+
+	if (goodksk || ignore_kskflag) {
+		/*
+		 * Print the success summary.
+		 */
+		fprintf(stderr, "Zone fully signed:\n");
+		for (i = 0; i < 256; i++) {
+			if ((ksk_algorithms[i] != 0) ||
+			    (standby_ksk[i] != 0) ||
+			    (revoked_zsk[i] != 0) ||
+			    (zsk_algorithms[i] != 0) ||
+			    (standby_zsk[i] != 0) ||
+			    (revoked_zsk[i] != 0)) {
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
+				fprintf(stderr, "Algorithm: %s: KSKs: "
+					"%u active, %u stand-by, %u revoked\n",
+					algbuf, ksk_algorithms[i],
+					standby_ksk[i], revoked_ksk[i]);
+				fprintf(stderr, "%*sZSKs: "
+					"%u active, %u %s, %u revoked\n",
+					(int) strlen(algbuf) + 13, "",
+					zsk_algorithms[i],
+					standby_zsk[i],
+					keyset_kskonly ? "present" : "stand-by",
+					revoked_zsk[i]);
+			}
+		}
+	}
+}
--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.h	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.h	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.h,v 1.2.6.1 2012/06/05 21:15:17 bouyer Exp $	*/
+/*	$NetBSD: dnssectool.h,v 1.2.6.2 2012/12/15 05:39:24 riz Exp $	*/
 
 /*
- * Copyright (C) 2004, 2007-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -27,6 +27,11 @@
 #include <dns/rdatastruct.h>
 #include <dst/dst.h>
 
+#define check_dns_dbiterator_current(result) \
+	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
+		     "dns_dbiterator_current()")
+
+
 typedef void (fatalcallback_t)(void);
 
 ISC_PLATFORM_NORETURN_PRE void
@@ -83,4 +88,12 @@
 key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
 	      isc_mem_t *mctx, isc_boolean_t *exact);
 
+isc_boolean_t
+is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+		      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
+
+void
+verifyzone(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_name_t *origin, isc_mem_t *mctx,
+		   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
 #endif /* DNSSEC_DNSSECTOOL_H */
--- a/external/bsd/bind/dist/bin/named/Makefile.in	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/Makefile.in	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/bin/named/bindkeys.pl	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/bindkeys.pl	Sat Dec 15 05:39:18 2012 +0000
@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
--- a/external/bsd/bind/dist/bin/named/builtin.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/builtin.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: builtin.c,v 1.3.4.1 2012/06/05 21:15:22 bouyer Exp $	*/
+/*	$NetBSD: builtin.c,v 1.3.4.2 2012/12/15 05:39:24 riz Exp $	*/
 
 /*
  * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -101,9 +101,9 @@
 dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) {
 	size_t i, j = 0;
 
-	for (i = 0; i < 4; i++) {
+	for (i = 0; i < 4U; i++) {
 		unsigned char c = v[start++];
-		if (start == 7)
+		if (start == 7U)
 			start++;
 		if (c > 99) {
 			rdata[j++] = 3;
@@ -166,7 +166,7 @@
 	i = (nlen % 4) == 2U ? 1 : 0;
 	j = nlen;
 	memset(v, 0, sizeof(v));
-	while (j != 0) {
+	while (j != 0U) {
 		INSIST((i/2) < sizeof(v));
 		if (ndata[0] != 1)
 			return (ISC_R_NOTFOUND);
--- a/external/bsd/bind/dist/bin/named/client.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.4.4.1 2012/06/05 21:15:20 bouyer Exp $	*/
+/*	$NetBSD: client.c,v 1.4.4.2 2012/12/15 05:39:24 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -503,12 +503,14 @@
 		 * the dying client inbetween.
 		 */
 		client->state = NS_CLIENTSTATE_INACTIVE;
-		if (!ns_g_clienttest)
-			ISC_QUEUE_PUSH(manager->inactive, client, ilink);
 		INSIST(client->recursionquota == NULL);
 
 		if (client->state == client->newstate) {
 			client->newstate = NS_CLIENTSTATE_MAX;
+			if (!ns_g_clienttest && manager != NULL &&
+			    !manager->exiting)
+				ISC_QUEUE_PUSH(manager->inactive, client,
+					       ilink);
 			if (client->needshutdown)
 				isc_task_shutdown(client->task);
 			return (ISC_TRUE);
@@ -528,6 +530,7 @@
 		REQUIRE(client->state == NS_CLIENTSTATE_INACTIVE);
 
 		INSIST(client->recursionquota == NULL);
+		INSIST(!ISC_QLINK_LINKED(client, ilink));
 
 		ns_query_free(client);
 		isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
@@ -636,6 +639,9 @@
 		client->shutdown_arg = NULL;
 	}
 
+	if (ISC_QLINK_LINKED(client, ilink))
+		ISC_QUEUE_UNLINK(client->manager->inactive, client, ilink);
+
 	client->newstate = NS_CLIENTSTATE_FREED;
 	client->needshutdown = ISC_FALSE;
 	(void)exit_check(client);
@@ -2122,6 +2128,8 @@
 #ifdef ALLOW_FILTER_AAAA_ON_V4
 	client->filter_aaaa = dns_v4_aaaa_ok;
 #endif
+	client->needshutdown = ns_g_clienttest;
+
 	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
 		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
 		       NULL, NULL);
@@ -2149,8 +2157,6 @@
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_query;
 
-	client->needshutdown = ns_g_clienttest;
-
 	CTRACE("create");
 
 	*clientp = client;
@@ -2516,9 +2522,10 @@
 
 void
 ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
+	isc_result_t result;
 	ns_clientmgr_t *manager;
 	ns_client_t *client;
-	isc_boolean_t need_destroy = ISC_FALSE;
+	isc_boolean_t need_destroy = ISC_FALSE, unlock = ISC_FALSE;
 
 	REQUIRE(managerp != NULL);
 	manager = *managerp;
@@ -2526,11 +2533,16 @@
 
 	MTRACE("destroy");
 
-	LOCK(&manager->listlock);
-
-	LOCK(&manager->lock);
+	/*
+	 * Check for success because we may already be task-exclusive
+	 * at this point.  Only if we succeed at obtaining an exclusive
+	 * lock now will we need to relinquish it later.
+	 */
+	result = isc_task_beginexclusive(ns_g_server->task);
+	if (result == ISC_R_SUCCESS)
+		unlock = ISC_TRUE;
+
 	manager->exiting = ISC_TRUE;
-	UNLOCK(&manager->lock);
 
 	for (client = ISC_LIST_HEAD(manager->clients);
 	     client != NULL;
@@ -2540,7 +2552,8 @@
 	if (ISC_LIST_EMPTY(manager->clients))
 		need_destroy = ISC_TRUE;
 
-	UNLOCK(&manager->listlock);
+	if (unlock)
+		isc_task_endexclusive(ns_g_server->task);
 
 	if (need_destroy)
 		clientmgr_destroy(manager);
@@ -2557,6 +2570,9 @@
 	ns_client_t *client;
 	MTRACE("get client");
 
+	if (manager != NULL && manager->exiting)
+		return (ISC_R_SHUTTINGDOWN);
+
 	/*
 	 * Allocate a client.  First try to get a recycled one;
 	 * if that fails, make a new one.
--- a/external/bsd/bind/dist/bin/named/config.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/config.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: config.c,v 1.4.4.1 2012/06/05 21:15:22 bouyer Exp $	*/
+/*	$NetBSD: config.c,v 1.4.4.2 2012/12/15 05:39:24 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -75,6 +75,7 @@
 	listen-on {any;};\n\
 	listen-on-v6 {none;};\n\
 	match-mapped-addresses no;\n\
+	max-rsa-exponent-size 0; /* no limit */\n\
 	memstatistics-file \"named.memstats\";\n\
 	multiple-cnames no;\n\
 #	named-xfer <obsolete>;\n\
@@ -91,7 +92,7 @@
 #endif
 "\
 	recursive-clients 1000;\n\
-	resolver-query-timeout 30;\n\
+	resolver-query-timeout 10;\n\
 	rrset-order { order random; };\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
--- a/external/bsd/bind/dist/bin/named/controlconf.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/controlconf.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: controlconf.c,v 1.3.4.1 2012/06/05 21:15:22 bouyer Exp $	*/
+/*	$NetBSD: controlconf.c,v 1.3.4.2 2012/12/15 05:39:25 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@@ -375,9 +375,11 @@
 		if (result == ISC_R_SUCCESS)
 			break;
 		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
+		if (result != ISCCC_R_BADAUTH) {
 		log_invalid(&conn->ccmsg, result);
 		goto cleanup;
 	}
+	}
 
 	if (key == NULL) {
 		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
--- a/external/bsd/bind/dist/bin/named/convertxsl.pl	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/convertxsl.pl	Sat Dec 15 05:39:18 2012 +0000
@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2006-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
--- a/external/bsd/bind/dist/bin/named/query.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.7.2.2 2012/10/09 23:58:09 riz Exp $	*/
+/*	$NetBSD: query.c,v 1.7.2.3 2012/12/15 05:39:25 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -27,6 +27,7 @@
 
 #include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/serial.h>
 #include <isc/stats.h>
 #include <isc/util.h>
 
@@ -2798,13 +2799,14 @@
  */
 static void
 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    isc_uint32_t ttl, dns_rdataset_t *rdataset,
+	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
 	    dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	isc_stdtime_t now;
 
 	rdataset->trust = dns_trust_secure;
 	sigrdataset->trust = dns_trust_secure;
@@ -2817,17 +2819,10 @@
 	result = dns_db_findnodeext(db, name, ISC_TRUE, &cm, &ci, &node);
 	if (result != ISC_R_SUCCESS)
 		return;
-	/*
-	 * Bound the validated ttls then minimise.
-	 */
-	if (sigrdataset->ttl > ttl)
-		sigrdataset->ttl = ttl;
-	if (rdataset->ttl > ttl)
-		rdataset->ttl = ttl;
-	if (rdataset->ttl > sigrdataset->ttl)
-		rdataset->ttl = sigrdataset->ttl;
-	else
-		sigrdataset->ttl = rdataset->ttl;
+
+	isc_stdtime_get(&now);
+	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
+			     client->view->acceptexpired);
 
 	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
 				 0, NULL);
@@ -2900,7 +2895,7 @@
 
 static isc_boolean_t
 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
-       dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
+       dns_rdata_t *rdata, ns_client_t *client)
 {
 	isc_result_t result;
 	dns_fixedname_t fixed;
@@ -2909,9 +2904,10 @@
 	dns_fixedname_init(&fixed);
 
 again:
-	result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
+	result = dns_dnssec_verify3(name, rdataset, key, ignore,
+				    client->view->maxbits, client->mctx,
 				    rdata, NULL);
-	if (result == DNS_R_SIGEXPIRED && acceptexpired) {
+	if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
 		ignore = ISC_TRUE;
 		goto again;
 	}
@@ -2954,12 +2950,10 @@
 		do {
 			if (!get_key(client, db, &rrsig, &keyrdataset, &key))
 				break;
-			if (verify(key, name, rdataset, &rdata, client->mctx,
-				   client->view->acceptexpired)) {
+			if (verify(key, name, rdataset, &rdata, client)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name,
-					    rrsig.originalttl,
+				mark_secure(client, db, name, &rrsig,
 					    rdataset, sigrdataset);
 				return (ISC_TRUE);
 			}
@@ -3847,6 +3841,13 @@
 		dns_rdataset_disassociate(*rdatasetp);
 }
 
+static void
+rpz_match_clear(dns_rpz_st_t *st)
+{
+	rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
+	st->m.version = NULL;
+}
+
 static inline isc_result_t
 rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
 	  dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp)
@@ -3866,10 +3867,9 @@
 rpz_st_clear(ns_client_t *client) {
 	dns_rpz_st_t *st = client->query.rpz_st;
 
-	rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL);
-	st->m.version = NULL;
 	if (st->m.rdataset != NULL)
 		query_putrdataset(client, &st->m.rdataset);
+	rpz_match_clear(st);
 
 	rpz_clean(NULL, &st->r.db, NULL, NULL);
 	if (st->r.ns_rdataset != NULL)
@@ -4025,6 +4025,9 @@
 	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
 	     rpz != NULL;
 	     rpz = ISC_LIST_NEXT(rpz, link)) {
+		if (!RECURSIONOK(client) && rpz->recursive_only)
+			continue;
+
 		/*
 		 * Do not check policy zones that cannot replace a policy
 		 * already known to match.
@@ -4053,9 +4056,8 @@
 		 * hit, if any.  Note the domain name and quality of the
 		 * best hit.
 		 */
-		(void)dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
-					 rdataset, st,
-					 client->query.rpz_st->qname);
+		dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
+				   rdataset, st, client->query.rpz_st->qname);
 		rpz_clean(&zone, &db, NULL, NULL);
 	}
 	return (ISC_R_SUCCESS);
@@ -4160,8 +4162,8 @@
  */
 static isc_result_t
 rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
-	 dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep,
-	 dns_db_t **dbp, dns_dbversion_t **versionp,
+	 dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+	 dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
 	 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
 	 dns_rpz_policy_t *policyp)
 {
@@ -4251,7 +4253,7 @@
 		if ((*rdatasetp)->type != dns_rdatatype_cname) {
 			policy = DNS_RPZ_POLICY_RECORD;
 		} else {
-			policy = dns_rpz_decode_cname(*rdatasetp, sname);
+			policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname);
 			if ((policy == DNS_RPZ_POLICY_RECORD ||
 			     policy == DNS_RPZ_POLICY_WILDCNAME) &&
 			    qtype != dns_rdatatype_cname &&
@@ -4322,6 +4324,9 @@
 	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
 	     rpz != NULL;
 	     rpz = ISC_LIST_NEXT(rpz, link)) {
+		if (!RECURSIONOK(client) && rpz->recursive_only)
+			continue;
+
 		/*
 		 * Do not check policy zones that cannot replace a policy
 		 * already known to match.
@@ -4367,11 +4372,11 @@
 		}
 
 		/*
-		 * See if the policy record exists.
+		 * See if the policy record exists and get its policy.
 		 */
-		result = rpz_find(client, qtype, rpz_qname, qname, rpz_type,
-				  &zone, &db, &version, &node, rdatasetp,
-				  &policy);
+		result = rpz_find(client, qtype, rpz_qname, qname, rpz,
+				  rpz_type, &zone, &db, &version, &node,
+				  rdatasetp, &policy);
 		switch (result) {
 		case DNS_R_NXDOMAIN:
 		case DNS_R_EMPTYNAME:
@@ -4407,8 +4412,7 @@
 				continue;
 			}
 
-			rpz_clean(&st->m.zone, &st->m.db, &st->m.node,
-				  &st->m.rdataset);
+			rpz_match_clear(st);
 			st->m.rpz = rpz;
 			st->m.type = rpz_type;
 			st->m.prefix = 0;
@@ -4422,9 +4426,11 @@
 				trdataset = st->m.rdataset;
 				st->m.rdataset = *rdatasetp;
 				*rdatasetp = trdataset;
-				st->m.ttl = st->m.rdataset->ttl;
+				st->m.ttl = ISC_MIN(st->m.rdataset->ttl,
+						    rpz->max_policy_ttl);
 			} else {
-				st->m.ttl = DNS_RPZ_TTL_DEFAULT;
+				st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT,
+						    rpz->max_policy_ttl);
 			}
 			st->m.node = node;
 			node = NULL;
@@ -4704,10 +4710,11 @@
 	if (st->m.policy == DNS_RPZ_POLICY_MISS ||
 	    st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
 	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
-		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU)
+		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
+		    result != DNS_R_DELEGATION)
 			rpz_log_rewrite(client, "", st->m.policy, st->m.type,
 					st->qname);
-		rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
+		rpz_match_clear(st);
 	}
 	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
 		st->m.type = DNS_RPZ_TYPE_BAD;
@@ -4721,6 +4728,64 @@
 }
 
 /*
+ * See if response policy zone rewriting is allowed a lack of interest
+ * by the client in DNSSEC or a lack of signatures.
+ */
+static isc_boolean_t
+rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	dns_rdataset_t trdataset;
+	dns_rdatatype_t type;
+
+	if (client->view->rpz_break_dnssec)
+		return (ISC_TRUE);
+	/*
+	 * sigrdataset == NULL if and only !WANTDNSSEC(client)
+	 */
+	if (sigrdataset == NULL)
+		return (ISC_TRUE);
+	if (dns_rdataset_isassociated(sigrdataset))
+		return (ISC_FALSE);
+
+	/*
+	 * We are happy to rewrite nothing.
+	 */
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset))
+		return (ISC_TRUE);
+	/*
+	 * Do not rewrite if there is any sign of signatures.
+	 */
+	if (rdataset->type == dns_rdatatype_nsec ||
+	    rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->type == dns_rdatatype_rrsig)
+		return (ISC_FALSE);
+
+	/*
+	 * Look for a signature in a negative cache rdataset.
+	 */
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0)
+		return (ISC_TRUE);
+	dns_fixedname_init(&fixed);
+	found = dns_fixedname_name(&fixed);
+	dns_rdataset_init(&trdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_ncache_current(rdataset, found, &trdataset);
+		type = trdataset.type;
+		dns_rdataset_disassociate(&trdataset);
+		if (type == dns_rdatatype_nsec ||
+		    type == dns_rdatatype_nsec3 ||
+		    type == dns_rdatatype_rrsig)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+/*
  * Add a CNAME to the query response, including translating foo.evil.com and
  *	*.evil.com CNAME *.example.com
  * to
@@ -4764,7 +4829,8 @@
 	 * Turn off DNSSEC because the results of a
 	 * response policy zone cannot verify.
 	 */
-	client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
+	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+				DNS_MESSAGEFLAG_AD);
 	return (ISC_R_SUCCESS);
 }
 
@@ -5178,10 +5244,12 @@
 	isc_result_t result;
 	isc_uint32_t ttl = ISC_UINT32_MAX;
 
+	dns_rdataset_init(&rdataset);
+
 	result = dns_db_getoriginnode(db, &node);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	dns_rdataset_init(&rdataset);
+
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
 				     0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS)
@@ -5683,9 +5751,9 @@
 	CTRACE("query_find: resume");
 
 	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
-	    RECURSIONOK(client) && !RECURSING(client) &&
-	    (!WANTDNSSEC(client) || sigrdataset == NULL ||
-	     !dns_rdataset_isassociated(sigrdataset)) &&
+	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
+	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
+	    !RECURSING(client) &&
 	    (client->query.rpz_st == NULL ||
 	     (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
 	    !dns_name_equal(client->query.qname, dns_rootname)) {
@@ -5759,10 +5827,22 @@
 				break;
 			case DNS_RPZ_POLICY_RECORD:
 				result = rpz_st->m.result;
-				if (type == dns_rdatatype_any &&
-				    result != DNS_R_CNAME &&
-				    dns_rdataset_isassociated(rdataset))
+				if (qtype == dns_rdatatype_any &&
+				    result != DNS_R_CNAME) {
+					/*
+					 * We will add all of the rdatasets of
+					 * the node by iterating, setting the
+					 * TTL then.
+					 */
+					if (dns_rdataset_isassociated(rdataset))
 					dns_rdataset_disassociate(rdataset);
+				} else {
+					/*
+					 * We will add this rdataset.
+					 */
+					rdataset->ttl = ISC_MIN(rdataset->ttl,
+							    rpz_st->m.ttl);
+				}
 				break;
 			case DNS_RPZ_POLICY_WILDCNAME:
 				result = dns_rdataset_first(rdataset);
@@ -5801,7 +5881,8 @@
 			 * Turn off DNSSEC because the results of a
 			 * response policy zone cannot verify.
 			 */
-			client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
+			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+						DNS_MESSAGEFLAG_AD);
 			query_putrdataset(client, &sigrdataset);
 			is_zone = ISC_TRUE;
 			rpz_log_rewrite(client, "", rpz_st->m.policy,
@@ -6749,6 +6830,10 @@
 					noqname = rdataset;
 				else
 					noqname = NULL;
+				rpz_st = client->query.rpz_st;
+				if (rpz_st != NULL)
+					rdataset->ttl = ISC_MIN(rdataset->ttl,
+							    rpz_st->m.ttl);
 				query_addrrset(client,
 					       fname != NULL ? &fname : &tname,
 					       &rdataset, NULL,
@@ -7041,8 +7126,7 @@
 	 */
 	rpz_st = client->query.rpz_st;
 	if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) {
-		rpz_clean(&rpz_st->m.zone, &rpz_st->m.db, &rpz_st->m.node,
-			  &rpz_st->m.rdataset);
+		rpz_match_clear(rpz_st);
 		rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
 	}
 	if (rdataset != NULL)
--- a/external/bsd/bind/dist/bin/named/server.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/server.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: server.c,v 1.10.4.1 2012/06/05 21:15:23 bouyer Exp $	*/
+/*	$NetBSD: server.c,v 1.10.4.2 2012/12/15 05:39:25 riz Exp $	*/
 
 /*
  * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -1442,15 +1442,14 @@
 }
 
 static isc_result_t
-configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
-	const cfg_obj_t *rpz_obj, *policy_obj;
+configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
+	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
+{
+	const cfg_obj_t *rpz_obj, *policy_obj, *obj;
 	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *origin;
 	dns_rpz_zone_t *old, *new;
 	dns_zone_t *zone = NULL;
 	isc_result_t result;
-	unsigned int l1, l2;
 
 	new = isc_mem_get(view->mctx, sizeof(*new));
 	if (new == NULL) {
@@ -1459,9 +1458,10 @@
 	}
 
 	memset(new, 0, sizeof(*new));
+	dns_name_init(&new->origin, NULL);
 	dns_name_init(&new->nsdname, NULL);
-	dns_name_init(&new->origin, NULL);
 	dns_name_init(&new->cname, NULL);
+	dns_name_init(&new->passthru, NULL);
 	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
 
 	rpz_obj = cfg_listelt_value(element);
@@ -1469,15 +1469,31 @@
 	if (cfg_obj_isvoid(policy_obj)) {
 		new->policy = DNS_RPZ_POLICY_GIVEN;
 	} else {
-		str = cfg_obj_asstring(policy_obj);
+		str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
+						     "policy name"));
 		new->policy = dns_rpz_str2policy(str);
 		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
 	}
 
-	dns_fixedname_init(&fixed);
-	origin = dns_fixedname_name(&fixed);
-	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "name"));
-	result = dns_name_fromstring(origin, str, DNS_NAME_DOWNCASE, NULL);
+	obj = cfg_tuple_get(rpz_obj, "recursive-only");
+	if (cfg_obj_isvoid(obj)) {
+		new->recursive_only = recursive_only_def;
+	} else {
+		new->recursive_only = cfg_obj_asboolean(obj);
+	}
+	if (!new->recursive_only)
+		view->rpz_recursive_only = ISC_FALSE;
+
+	obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
+	if (cfg_obj_isuint32(obj)) {
+		new->max_policy_ttl = cfg_obj_asuint32(obj);
+	} else {
+		new->max_policy_ttl = ttl_def;
+	}
+
+	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
+	result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
+				     view->mctx);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 			    "invalid zone '%s'", str);
@@ -1485,31 +1501,28 @@
 	}
 
 	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
-				      origin, DNS_NAME_DOWNCASE, view->mctx);
+				      &new->origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 			    "invalid zone '%s'", str);
 		goto cleanup;
 	}
 
-	/*
-	 * The origin is part of 'nsdname' so we don't need to keep it
-	 * seperately.
-	 */
-	l1 = dns_name_countlabels(&new->nsdname);
-	l2 = dns_name_countlabels(origin);
-	dns_name_getlabelsequence(&new->nsdname, l1 - l2, l2, &new->origin);
-
-	/*
-	 * Are we configured to with the reponse policy zone?
-	 */
+	result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
+				     DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
 	result = dns_view_findzone(view, &new->origin, &zone);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 			    "unknown zone '%s'", str);
 		goto cleanup;
 	}
-
 	if (dns_zone_gettype(zone) != dns_zone_master &&
 	    dns_zone_gettype(zone) != dns_zone_slave) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
@@ -1533,8 +1546,9 @@
 	}
 
 	if (new->policy == DNS_RPZ_POLICY_CNAME) {
-		str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "cname"));
-		result = dns_name_fromstring(&new->cname, str, 0, view->mctx);
+		str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
+		result = dns_name_fromstring(&new->cname, str,
+					     DNS_NAME_DOWNCASE, view->mctx);
 		if (result != ISC_R_SUCCESS) {
 			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 				    "invalid cname '%s'", str);
@@ -1597,6 +1611,7 @@
 	const char *cachename = NULL;
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
+	isc_uint32_t maxbits;
 	unsigned int resopts = 0;
 	dns_zone_t *zone = NULL;
 	isc_uint32_t max_clients_per_query;
@@ -2224,6 +2239,19 @@
 	view->maxudp = udpsize;
 
 	/*
+	 * Set the maximum rsa exponent bits.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "max-rsa-exponent-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	maxbits = cfg_obj_asuint32(obj);
+	if (maxbits != 0 && maxbits < 35)
+		maxbits = 35;
+	if (maxbits > 4096)
+		maxbits = 4096;
+	view->maxbits = maxbits;
+
+	/*
 	 * Set supported DNSSEC algorithms.
 	 */
 	dns_resolver_reset_algorithms(view->resolver);
@@ -2860,19 +2888,39 @@
 	 * Make the list of response policy zone names for views that
 	 * are used for real lookups and so care about hints.
 	 */
-	zonelist = NULL;
-	if (view->rdclass == dns_rdataclass_in && need_hints) {
 		obj = NULL;
-		result = ns_config_get(maps, "response-policy", &obj);
-		if (result == ISC_R_SUCCESS)
-			cfg_map_get(obj, "zone", &zonelist);
-	}
-
-	if (zonelist != NULL) {
-		for (element = cfg_list_first(zonelist);
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+		const cfg_obj_t *recursive_only_obj;
+		const cfg_obj_t *break_dnssec_obj, *ttl_obj;
+		isc_boolean_t recursive_only_def;
+		dns_ttl_t ttl_def;
+
+		recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
+		if (!cfg_obj_isvoid(recursive_only_obj) &&
+		    !cfg_obj_asboolean(recursive_only_obj))
+			recursive_only_def = ISC_FALSE;
+		else
+			recursive_only_def = ISC_TRUE;
+
+		break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
+		if (!cfg_obj_isvoid(break_dnssec_obj) &&
+		    cfg_obj_asboolean(break_dnssec_obj))
+			view->rpz_break_dnssec = ISC_TRUE;
+		else
+			view->rpz_break_dnssec = ISC_FALSE;
+
+		ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
+		if (cfg_obj_isuint32(ttl_obj))
+			ttl_def = cfg_obj_asuint32(ttl_obj);
+		else
+			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+		for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			result = configure_rpz(view, element);
+			result = configure_rpz(view, element,
+					       recursive_only_def, ttl_def);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			dns_rpz_set_need(ISC_TRUE);
@@ -5540,11 +5588,13 @@
 
 	/*
 	 * Setup the server task, which is responsible for coordinating
-	 * startup and shutdown of the server.
+	 * startup and shutdown of the server, as well as all exclusive
+	 * tasks.
 	 */
 	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
 		   "creating server task");
 	isc_task_setname(server->task, "server", server);
+	isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
 	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
 		   "isc_task_onshutdown");
 	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
@@ -7945,7 +7995,6 @@
 		memcpy(keystr, ptr, sizeof(keystr));
 	} else if(strcasecmp(ptr, "-nsec3param") == 0) {
 		const char *hashstr, *flagstr, *iterstr;
-		isc_buffer_t buf;
 		char nbuf[512];
 
 		chain = ISC_TRUE;
@@ -7973,10 +8022,14 @@
 			ptr = next_token(&args, " \t");
 			if (ptr == NULL)
 				return (ISC_R_UNEXPECTEDEND);
+			if (strcmp(ptr, "-") != 0) {
+				isc_buffer_t buf;
+
 			isc_buffer_init(&buf, salt, sizeof(salt));
 			CHECK(isc_hex_decodestring(ptr, &buf));
 			saltlen = isc_buffer_usedlength(&buf);
 		}
+		}
 	} else
 		CHECK(DNS_R_SYNTAX);
 
--- a/external/bsd/bind/dist/bin/named/statschannel.c	Thu Dec 13 23:51:40 2012 +0000
+++ b/external/bsd/bind/dist/bin/named/statschannel.c	Sat Dec 15 05:39:18 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: statschannel.c,v 1.3.4.1 2012/06/05 21:15:22 bouyer Exp $	*/
+/*	$NetBSD: statschannel.c,v 1.3.4.2 2012/12/15 05:39:25 riz Exp $	*/
 
 /*
- * Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -87,16 +87,19 @@
 static const char *resstats_desc[dns_resstatscounter_max];
 static const char *zonestats_desc[dns_zonestatscounter_max];
 static const char *sockstats_desc[isc_sockstatscounter_max];
+static const char *dnssecstats_desc[dns_dnssecstats_max];
 #ifdef HAVE_LIBXML2
 static const char *nsstats_xmldesc[dns_nsstatscounter_max];