merge conflicts trunk
authorchristos <christos@NetBSD.org>
Thu, 17 Dec 2015 04:00:21 +0000
branchtrunk
changeset 239574 6e64a2a7e7ed
parent 239573 7f9c861f7e0d
child 239575 193678d09217
merge conflicts
external/bsd/bind/bind2netbsd
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/README
external/bsd/bind/dist/bin/check/check-tool.c
external/bsd/bind/dist/bin/check/named-checkconf.c
external/bsd/bind/dist/bin/check/named-checkzone.c
external/bsd/bind/dist/bin/confgen/keygen.c
external/bsd/bind/dist/bin/confgen/util.c
external/bsd/bind/dist/bin/dig/dig.1
external/bsd/bind/dist/bin/dig/dig.c
external/bsd/bind/dist/bin/dig/dighost.c
external/bsd/bind/dist/bin/dig/include/dig/dig.h
external/bsd/bind/dist/bin/dig/nslookup.c
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/config.c
external/bsd/bind/dist/bin/named/control.c
external/bsd/bind/dist/bin/named/include/named/lwdclient.h
external/bsd/bind/dist/bin/named/include/named/main.h
external/bsd/bind/dist/bin/named/include/named/server.h
external/bsd/bind/dist/bin/named/interfacemgr.c
external/bsd/bind/dist/bin/named/logconf.c
external/bsd/bind/dist/bin/named/lwdclient.c
external/bsd/bind/dist/bin/named/lwresd.c
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/named.8
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/statschannel.c
external/bsd/bind/dist/bin/named/update.c
external/bsd/bind/dist/bin/named/win32/ntservice.c
external/bsd/bind/dist/bin/named/win32/os.c
external/bsd/bind/dist/bin/named/xfrout.c
external/bsd/bind/dist/bin/nsupdate/nsupdate.1
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0o-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1j-patch
external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.c
external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.c
external/bsd/bind/dist/bin/pkcs11/pkcs11-list.c
external/bsd/bind/dist/bin/rndc/rndc.8
external/bsd/bind/dist/bin/rndc/rndc.c
external/bsd/bind/dist/bin/rndc/util.c
external/bsd/bind/dist/bin/tests/adb_test.c
external/bsd/bind/dist/bin/tests/backtrace_test.c
external/bsd/bind/dist/bin/tests/byaddr_test.c
external/bsd/bind/dist/bin/tests/byname_test.c
external/bsd/bind/dist/bin/tests/cfg_test.c
external/bsd/bind/dist/bin/tests/compress_test.c
external/bsd/bind/dist/bin/tests/db/t_db.c
external/bsd/bind/dist/bin/tests/db_test.c
external/bsd/bind/dist/bin/tests/dst/dst_test.c
external/bsd/bind/dist/bin/tests/entropy2_test.c
external/bsd/bind/dist/bin/tests/entropy_test.c
external/bsd/bind/dist/bin/tests/fsaccess_test.c
external/bsd/bind/dist/bin/tests/gxba_test.c
external/bsd/bind/dist/bin/tests/gxbn_test.c
external/bsd/bind/dist/bin/tests/hash_test.c
external/bsd/bind/dist/bin/tests/inter_test.c
external/bsd/bind/dist/bin/tests/keyboard_test.c
external/bsd/bind/dist/bin/tests/lex_test.c
external/bsd/bind/dist/bin/tests/lfsr_test.c
external/bsd/bind/dist/bin/tests/log_test.c
external/bsd/bind/dist/bin/tests/lwres_test.c
external/bsd/bind/dist/bin/tests/lwresconf_test.c
external/bsd/bind/dist/bin/tests/makejournal.c
external/bsd/bind/dist/bin/tests/master_test.c
external/bsd/bind/dist/bin/tests/name_test.c
external/bsd/bind/dist/bin/tests/names/t_names.c
external/bsd/bind/dist/bin/tests/net/driver.c
external/bsd/bind/dist/bin/tests/net/netaddr_multicast.c
external/bsd/bind/dist/bin/tests/printmsg.c
external/bsd/bind/dist/bin/tests/printmsg.h
external/bsd/bind/dist/bin/tests/ratelimiter_test.c
external/bsd/bind/dist/bin/tests/rbt/t_rbt.c
external/bsd/bind/dist/bin/tests/rbt_test.c
external/bsd/bind/dist/bin/tests/rdata_test.c
external/bsd/bind/dist/bin/tests/serial_test.c
external/bsd/bind/dist/bin/tests/sig0_test.c
external/bsd/bind/dist/bin/tests/sock_test.c
external/bsd/bind/dist/bin/tests/sym_test.c
external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c
external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c
external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c
external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c
external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c
external/bsd/bind/dist/bin/tests/task_test.c
external/bsd/bind/dist/bin/tests/tasks/t_tasks.c
external/bsd/bind/dist/bin/tests/timer_test.c
external/bsd/bind/dist/bin/tests/wire_test.c
external/bsd/bind/dist/bin/tests/zone_test.c
external/bsd/bind/dist/bin/tools/arpaname.c
external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c
external/bsd/bind/dist/bin/tools/named-journalprint.c
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/configure
external/bsd/bind/dist/configure.in
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.delv.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/dns/adb.c
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/cache.c
external/bsd/bind/dist/lib/dns/callbacks.c
external/bsd/bind/dist/lib/dns/client.c
external/bsd/bind/dist/lib/dns/diff.c
external/bsd/bind/dist/lib/dns/dispatch.c
external/bsd/bind/dist/lib/dns/dlz.c
external/bsd/bind/dist/lib/dns/dnssec.c
external/bsd/bind/dist/lib/dns/dst_api.c
external/bsd/bind/dist/lib/dns/dst_openssl.h
external/bsd/bind/dist/lib/dns/dst_parse.c
external/bsd/bind/dist/lib/dns/gssapi_link.c
external/bsd/bind/dist/lib/dns/gssapictx.c
external/bsd/bind/dist/lib/dns/hmac_link.c
external/bsd/bind/dist/lib/dns/include/dns/adb.h
external/bsd/bind/dist/lib/dns/include/dns/log.h
external/bsd/bind/dist/lib/dns/include/dns/message.h
external/bsd/bind/dist/lib/dns/include/dns/name.h
external/bsd/bind/dist/lib/dns/include/dns/resolver.h
external/bsd/bind/dist/lib/dns/include/dns/result.h
external/bsd/bind/dist/lib/dns/include/dns/rrl.h
external/bsd/bind/dist/lib/dns/include/dns/stats.h
external/bsd/bind/dist/lib/dns/include/dns/types.h
external/bsd/bind/dist/lib/dns/include/dns/zone.h
external/bsd/bind/dist/lib/dns/include/dst/dst.h
external/bsd/bind/dist/lib/dns/journal.c
external/bsd/bind/dist/lib/dns/keytable.c
external/bsd/bind/dist/lib/dns/log.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/name.c
external/bsd/bind/dist/lib/dns/ncache.c
external/bsd/bind/dist/lib/dns/nsec.c
external/bsd/bind/dist/lib/dns/nsec3.c
external/bsd/bind/dist/lib/dns/openssl_link.c
external/bsd/bind/dist/lib/dns/openssldh_link.c
external/bsd/bind/dist/lib/dns/openssldsa_link.c
external/bsd/bind/dist/lib/dns/opensslecdsa_link.c
external/bsd/bind/dist/lib/dns/opensslgost_link.c
external/bsd/bind/dist/lib/dns/opensslrsa_link.c
external/bsd/bind/dist/lib/dns/order.c
external/bsd/bind/dist/lib/dns/private.c
external/bsd/bind/dist/lib/dns/rbt.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rcode.c
external/bsd/bind/dist/lib/dns/rdata.c
external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c
external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c
external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c
external/bsd/bind/dist/lib/dns/rdata/generic/cert_37.c
external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c
external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c
external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c
external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c
external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c
external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c
external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c
external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c
external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c
external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c
external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c
external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c
external/bsd/bind/dist/lib/dns/rdata/generic/loc_29.c
external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c
external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c
external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c
external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c
external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c
external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c
external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c
external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3param_51.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c
external/bsd/bind/dist/lib/dns/rdata/generic/null_10.c
external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c
external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c
external/bsd/bind/dist/lib/dns/rdata/generic/proforma.c
external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c
external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c
external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c
external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c
external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c
external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c
external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c
external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c
external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c
external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c
external/bsd/bind/dist/lib/dns/rdata/generic/unspec_103.c
external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c
external/bsd/bind/dist/lib/dns/rdata/hs_4/a_1.c
external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c
external/bsd/bind/dist/lib/dns/rdata/in_1/a_1.c
external/bsd/bind/dist/lib/dns/rdata/in_1/aaaa_28.c
external/bsd/bind/dist/lib/dns/rdata/in_1/apl_42.c
external/bsd/bind/dist/lib/dns/rdata/in_1/dhcid_49.c
external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c
external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c
external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c
external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c
external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c
external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c
external/bsd/bind/dist/lib/dns/request.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/result.c
external/bsd/bind/dist/lib/dns/rootns.c
external/bsd/bind/dist/lib/dns/rpz.c
external/bsd/bind/dist/lib/dns/rrl.c
external/bsd/bind/dist/lib/dns/sdb.c
external/bsd/bind/dist/lib/dns/sdlz.c
external/bsd/bind/dist/lib/dns/spnego.c
external/bsd/bind/dist/lib/dns/tcpmsg.c
external/bsd/bind/dist/lib/dns/tests/geoip_test.c
external/bsd/bind/dist/lib/dns/tests/master_test.c
external/bsd/bind/dist/lib/dns/tkey.c
external/bsd/bind/dist/lib/dns/tsig.c
external/bsd/bind/dist/lib/dns/update.c
external/bsd/bind/dist/lib/dns/view.c
external/bsd/bind/dist/lib/dns/xfrin.c
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/irs/getaddrinfo.c
external/bsd/bind/dist/lib/isc/app_api.c
external/bsd/bind/dist/lib/isc/assertions.c
external/bsd/bind/dist/lib/isc/backtrace.c
external/bsd/bind/dist/lib/isc/commandline.c
external/bsd/bind/dist/lib/isc/entropy.c
external/bsd/bind/dist/lib/isc/error.c
external/bsd/bind/dist/lib/isc/heap.c
external/bsd/bind/dist/lib/isc/hmacmd5.c
external/bsd/bind/dist/lib/isc/hmacsha.c
external/bsd/bind/dist/lib/isc/httpd.c
external/bsd/bind/dist/lib/isc/include/isc/app.h
external/bsd/bind/dist/lib/isc/include/isc/mem.h
external/bsd/bind/dist/lib/isc/include/isc/print.h
external/bsd/bind/dist/lib/isc/include/isc/safe.h
external/bsd/bind/dist/lib/isc/include/isc/util.h
external/bsd/bind/dist/lib/isc/lex.c
external/bsd/bind/dist/lib/isc/lib.c
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/nothreads/include/isc/mutex.h
external/bsd/bind/dist/lib/isc/print.c
external/bsd/bind/dist/lib/isc/pthreads/mutex.c
external/bsd/bind/dist/lib/isc/regex.c
external/bsd/bind/dist/lib/isc/rwlock.c
external/bsd/bind/dist/lib/isc/safe.c
external/bsd/bind/dist/lib/isc/socket_api.c
external/bsd/bind/dist/lib/isc/stats.c
external/bsd/bind/dist/lib/isc/task.c
external/bsd/bind/dist/lib/isc/tests/safe_test.c
external/bsd/bind/dist/lib/isc/timer.c
external/bsd/bind/dist/lib/isc/unix/app.c
external/bsd/bind/dist/lib/isc/unix/file.c
external/bsd/bind/dist/lib/isc/unix/ifiter_ioctl.c
external/bsd/bind/dist/lib/isc/unix/ifiter_sysctl.c
external/bsd/bind/dist/lib/isc/unix/net.c
external/bsd/bind/dist/lib/isc/unix/socket.c
external/bsd/bind/dist/lib/isc/win32/interfaceiter.c
external/bsd/bind/dist/lib/isc/win32/net.c
external/bsd/bind/dist/lib/isc/win32/win32os.c
external/bsd/bind/dist/lib/isccc/alist.c
external/bsd/bind/dist/lib/isccc/cc.c
external/bsd/bind/dist/lib/isccc/sexpr.c
external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h
external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h
external/bsd/bind/dist/lib/isccfg/namedconf.c
external/bsd/bind/dist/lib/isccfg/parser.c
external/bsd/bind/dist/lib/lwres/herror.c
external/bsd/bind/dist/lib/lwres/print.c
external/bsd/bind/dist/lib/lwres/win32/socket.c
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
external/bsd/bind/include/config.h
external/bsd/bind/include/isc/platform.h
external/bsd/bind/include/lwres/platform.h
external/bsd/bind/lib/libbind9/shlib_version
external/bsd/bind/lib/libdns/shlib_version
external/bsd/bind/lib/libirs/shlib_version
external/bsd/bind/lib/libisc/shlib_version
external/bsd/bind/lib/libisccc/shlib_version
external/bsd/bind/lib/libisccfg/shlib_version
external/bsd/bind/lib/liblwres/shlib_version
--- a/external/bsd/bind/bind2netbsd	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/bind2netbsd	Thu Dec 17 04:00:21 2015 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-#	$NetBSD: bind2netbsd,v 1.2 2014/03/06 02:12:56 christos Exp $
+#	$NetBSD: bind2netbsd,v 1.3 2015/12/17 04:00:21 christos Exp $
 #
 # Copyright (c) 2000 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -34,7 +34,7 @@
 #
 #	$ cd /some/where/temporary
 #	$ tar xpfz /new/bind/release/tar/file
-#	$ sh /usr/src/external/bsd/bind/dist/bind2netbsd bind-9.x.y `pwd`
+#	$ sh /usr/src/external/bsd/bind/bind2netbsd bind-9.x.y `pwd`
 #	$ cd src/external/bsd/bind/dist
 #	$ cvs -d cvs.netbsd.org:/cvsroot import -m "Import bind 9.x.y" src/external/bsd/bind/dist ISC bind-9-x-y
 #	$ cd ../../../../../bind-9.x.y
--- a/external/bsd/bind/dist/CHANGES	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/CHANGES	Thu Dec 17 04:00:21 2015 +0000
@@ -1,35 +1,223 @@
-	--- 9.10.2-P4 released ---
+	--- 9.10.3-P2 released ---
+
+4270.	[security]	Update allowed OpenSSL versions as named is
+			potentially vulnerable to CVE-2015-3193.
+
+4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
+			[RT #40556]
+
+4260.	[security]	Insufficient testing when parsing a message allowed
+			records with an incorrect class to be be accepted,
+			triggering a REQUIRE failure when those records
+			were subsequently cached. (CVE-2015-8000) [RT #40987]
+
+4253.	[security]	Address fetch context reference count handling error
+			on socket error. (CVE-2015-8461) [RT#40945]
+
+	--- 9.10.3-P1 (withdrawn) ---
+
+	--- 9.10.3 released ---
+
+	--- 9.10.3rc1 released ---
+
+4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
+			[RT #40427]
+
+4192.	[bug]		The default rrset-order of random was not always being
+			applied. [RT #40456]
+
+4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
+			as per RFC 6763. [RT #37889]
+
+4190.	[protocol]	Accept Active Diretory gc._msdcs.<forest> name as
+			valid with check-names.  <forest> still needs to be
+			LDH. [RT #40399]
+
+4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
+			[RT #40418]
+
+4188.	[bug]		Support HTTP/1.0 client properly on the statistics
+			channel. [RT #40261]
+
+4187.	[func]		When any RR type implementation doesn't
+			implement totext() for the RDATA's wire
+			representation and returns ISC_R_NOTIMPLEMENTED,
+			such RDATA is now printed in unknown
+			presentation format (RFC 3597). RR types affected
+			include LOC(29) and APL(42). [RT #40317].
+
+4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
+			against a policy RR with wildcard owner name
+			(trigger) where the QNAME was the wildcard owner
+			name's parent. For example, the bug caused a query
+			with QNAME "example.com" to match a policy RR with
+			"*.example.com" as trigger. [RT #40357]
+
+4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
+			owner name (trigger) would prevent another policy RR
+			with its parent owner name from being
+			loaded. For example, the bug caused a policy RR
+			with trigger "example.com" to not have any
+			effect when a previous policy RR with trigger
+			"*.example.com" existed in that RPZ zone.
+			[RT #40357]
+
+4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
+			code. Also, the timing-safe comparison functions have
+			been renamed to avoid possible confusion with
+			memcmp(). Thanks to Loganaden Velvindron of
+			AFRINIC. [RT #40148]
+
+4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
+			[RT #40297]
+
+4181.	[bug]		Queued notify messages could be dequeued from the
+			wrong rate limiter queue. [RT #40350]
+
+4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
+			[RT #40209]
+
+4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
+			text. [RT #40274]
+
+4177.	[bug]		Fix assertion failure in parsing NSAP records from
+			text. [RT #40285]
+
+4176.	[bug]		Address race issues with lwresd. [RT #40284]
+
+4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
+			[RT #40333]
+
+4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
+			suffixes correctly. [RT #38444]
+
+4173.	[bug]		dig +sigchase was not properly matching the trusted
+			key. [RT #40188]
+
+4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
+			[RT #40265]
+
+4171.	[bug]		Fixed incorrect class checks in TSIG RR
+			implementation. [RT #40287]
 
 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 			rdatatype could trigger an assertion failure.
 			(CVE-2015-5986) [RT #40286]
 
+4169.	[test]		Added a 'wire_test -d' option to read input as
+			raw binary data, for use as a fuzzing harness.
+			[RT #40312]
+
 4168.	[security]	A buffer accounting error could trigger an
-			assertion failure when parsing certain malformed 
+			assertion failure when parsing certain malformed
 			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 
-	--- 9.10.2-P3 released ---
+	--- 9.10.3b1 released ---
 
 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 			result in an assertion failure. (CVE-2015-5477)
 			[RT #40046]
 
-	--- 9.10.2-P2 released ---
-
-4138.	[bug]		An uninitialized value in validator.c could result
+4164.	[bug]		Don't rename slave files and journals on out of memory.
+			[RT #40033]
+
+4163.	[bug]		Address compiler warnings. [RT #40024]
+
+4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
+
+4161.	[test]		Test for consistency between "rndc stats" and the
+			XML and JSON statistics channel contents. [RT #38700]
+
+4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
+
+4157.	[protocol]	Update experimental SIT code to use the EDNS COOKIE
+			option code point (10).  This is the minimal change
+			required to use the new code point. [RT #39928]
+
+4154.	[bug]		A OPT record should be included with the FORMERR
+			response when there is a malformed EDNS option.
+			[RT #39647]
+
+4153.	[bug]		Dig should zero non significant +subnet bits.  Check
+			that non significant ECS bits are zero on receipt.
+			[RT #39647]
+
+4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
+
+4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
+			minimal fix.  [RT #39667]
+
+4149.	[bug]		Fixed a race condition in the getaddrinfo()
+			implementation in libirs, which caused the delv
+			utility to crash with an assertion failure when using
+			the '@server' syntax with a hostname argument.
+			[RT #39899]
+
+4148.	[bug]		Fix a bug when printing zone names with '/' character
+			in XML and JSON statistics output. [RT #39873]
+
+4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
+			was returning referrals rather than nodata responses
+			when the AAAA records were filtered.  [RT #39843]
+
+4146.	[bug]		Address reference leak that could prevent a clean
+			shutdown. [RT #37125]
+
+4145.	[bug]		Not all unassociated adb entries where being printed.
+			[RT #37125]
+
+4143.	[bug]		serial-query-rate was not effective for notify.
+			[RT #39858]
+
+4142.	[bug]		rndc addzone with view specified saved NZF config
+			that could not be read back by named. This has now
+			been fixed. [RT #39845]
+
+4141.	[bug]		A formatting bug caused rndc zonestatus to print
+			negative numbers for large serial values. This has
+			now been fixed. [RT #39854]
+
+4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
+
+4138.	[security]	An uninitialized value in validator.c could result
 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 
-	--- 9.10.2-P1 released ---
+4137.	[bug]		Make rndc reconfig report configuration errors the
+			same way rndc reload does. [RT #39635]
+
+4136.	[bug]		Stale statistics counters with the leading
+			'#' prefix (such as #NXDOMAIN) were not being
+			updated correctly. This	has been fixed. [RT #39141]
 
 4134.	[cleanup]	Include client-ip rules when logging the number
 			of RPZ rules of each type. [RT #39670]
 
+4133.	[port]		Update how various json libraries are handled.
+			[RT #39646]
+
+4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
+			added +class as an unabbreviated alternative
+			to +cl. [RT #39686]
+
 4131.	[bug]		Addressed further problems with reloading RPZ
 			zones. [RT #39649]
 
+4130.	[bug]		The compatibility shim for *printf() misprinted some
+			large numbers. [RT #39586]
+
+4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
+
+4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
+
+4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
+			key as per RFC 7344, Section 4.1. [RT #37215]
+
 4126.	[bug]		Addressed a regression introduced in change #4121.
 			[RT #39611]
 
+4123.	[port]		Added %z (size_t) format options to the portable
+			internal printf/sprintf implementation. [RT #39586]
+
 4122.	[bug]		The server could match a shorter prefix than what was
 			available in CLIENT-IP policy triggers, and so, an
 			unexpected action could be taken. This has been
@@ -50,12 +238,149 @@
 			pending for RPZ processing of an active query.
 			[RT #39415]
 
+4119.	[test]		Allow dig to set the message opcode. [RT #39550]
+
+4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
+
+4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
+
 4116.	[bug]		Fix a bug in RPZ that could cause some policy
 			zones that did not specifically require
 			recursion to be treated as if they did;
 			consequently, setting qname-wait-recurse no; was
 			sometimes ineffective. [RT #39229]
 
+4113.	[test]		Check for Net::DNS is some system test
+			prerequisites. [RT #39369]
+
+4112.	[bug]		Named failed to load when "root-delegation-only"
+			was used without a list of domains to exclude.
+			[RT #39380]
+
+4111.	[doc]		Alphabetize rndc man page. [RT #39360]
+
+4110.	[bug]		Address memory leaks / null pointer dereferences
+			on out of memory. [RT #39310]
+
+4109.	[port]		linux: support reading the local port range from
+			net.ipv4.ip_local_port_range. [RT # 39379]
+
+4107.	[bug]		Address potential deadlock when updating zone content.
+			[RT #39269]
+
+4106.	[port]		Improve readline support. [RT #38938]
+
+4105.	[port]		Misc fixes for Microsoft Visual Studio
+			2015 CTP6 in 64 bit mode. [RT #39308]
+
+4104.	[bug]		Address uninitialized elements. [RT #39252]
+
+4102.	[bug]		Fix a use after free bug introduced in change
+			#4094.  [RT #39281]
+
+4101.	[bug]		dig: the +split and +rrcomments options didn't
+			work with +short. [RT #39291]
+
+4100.	[bug]		Inherited owernames on the line immediately following
+			a $INCLUDE were not working.  [RT #39268]
+
+4099.	[port]		clang: make unknown commandline options hard errors
+			when determining what options are supported.
+			[RT #39273]
+
+4098.	[bug]		Address use-after-free issue when using a
+			predecessor key with dnssec-settime. [RT #39272]
+
+4097.	[func]		Add additional logging about xfrin transfer status.
+			[RT #39170]
+
+4096.	[bug]		Fix a use after free of query->sendevent.
+			[RT #39132]
+
+4095.	[bug]		zone->options2 was not being properly initialized.
+			[RT #39228]
+
+4094.	[bug]		A race during shutdown or reconfiguration could
+			cause an assertion in mem.c. [RT #38979]
+
+4093.	[func]		Dig now learns the SIT value from truncated
+			responses when it retries over TCP. [RT #39047]
+
+4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
+			[RT #39173]
+
+4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
+
+4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
+			presentation format, i.e., from text such as
+			from master files. Thanks to John Van de
+			Meulebrouck Brendgard for discovering and
+			reporting this problem. [RT #39003]
+
+4089.	[bug]		Send notifies immediately for slave zones during
+			startup. [RT #38843]
+
+4088.	[port]		Fixed errors when building with libressl. [RT #38899]
+
+4087.	[bug]		Fix a crash due to use-after-free due to sequencing
+			of tasks actions. [RT #38495]
+
+4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
+
+4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
+			[RT #38828]
+
+4084.	[bug]		Fix a possible race in updating stats counters.
+			[RT #38826]
+
+4082.	[bug]		Incrementally sign large inline zone deltas.
+			[RT #37927]
+
+4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
+
+4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
+			CMSG_SPACE(sizeof(char)). [RT #38621]
+
+4077.	[test]		Add static-stub regression test for DS NXDOMAIN
+			return making the static stub disappear. [RT #38564]
+
+4076.	[bug]		Named could crash on shutdown with outstanding
+			reload / reconfig events. [RT #38622]
+
+4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
+
+4073.	[cleanup]	Add libjson-c version number reporting to
+			"named -V"; normalize version number formatting.
+			[RT #38056]
+
+4072.	[func]		Add a --enable-querytrace configure switch for
+			very verbose query trace logging. (This option
+			has a negative performance impact and should be
+			used only for debugging.) [RT #37520]
+
+4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
+			doing it per mutex creation. [RT #38547]
+
+4070.	[bug]		Fix a segfault in nslookup in a query such as
+			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
+			[RT #38548]
+
+4069.	[doc]		Reorganize options in the nsupdate man page.
+			[RT #38515]
+
+4068.	[bug]		Omit unknown serial number from JSON zone statistics.
+			[RT #38604]
+
+4067.	[cleanup]	Reduce noise from RRL when query logging is
+			disabled. [RT #38648]
+
+4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
+
+4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
+			of DNSSEC keys with timing set to implement a
+			pre-publication key rollover strategy. Thanks
+			to Jeffry A. Spain. [RT #38459]
+
 4063.	[bug]		Asynchronous zone loads were not handled
 			correctly when the zone load was already in
 			progress; this could trigger a crash in zt.c.
@@ -66,6 +391,49 @@
 			during operation. If the read failed, named
 			could segfault. [RT #38559]
 
+3993.	[func]		Dig now supports EDNS negotiation by default.
+			(dig +[no]ednsnegotiation).
+
+			Note:  This is disabled by default in BIND 9.10
+			and enabled by default in BIND 9.11.  [RT #37604]
+
+3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
+			to dig (+ednsflags=#). [RT #37142]
+
+3938.	[func]		Added quotas to be used in recursive resolvers
+			that are under high query load for names in zones
+			whose authoritative servers are nonresponsive or
+			are experiencing a denial of service attack.
+
+			- "fetches-per-server" limits the number of
+			  simultaneous queries that can be sent to any
+			  single authoritative server.  The configured
+			  value is a starting point; it is automatically
+			  adjusted downward if the server is partially or
+			  completely non-responsive. The algorithm used to
+			  adjust the quota can be configured via the
+			  "fetch-quota-params" option.
+			- "fetches-per-zone" limits the number of
+			  simultaneous queries that can be sent for names
+			  within a single domain.  (Note: Unlike
+			  "fetches-per-server", this value is not
+			  self-tuning.)
+			- New stats counters have been added to count
+			  queries spilled due to these quotas.
+
+			These options are not available by default;
+			use "configure --enable-fetchlimit" (or
+			--enable-developer) to include them in the build.
+
+			See the ARM for details of these options. [RT #37125]
+
+3937.	[func]		Added some debug logging to better indicate the
+			conditions causing SERVFAILs when resolving.
+			[RT #35538]
+
+3812.	[func]		Dig now supports sending arbitary EDNS options from
+			the command line (+ednsopt=code[:value]). [RT #35584]
+
 	--- 9.10.2 released ---
 
 	--- 9.10.2rc2 released ---
@@ -73,7 +441,7 @@
 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 
 4060.	[bug]		dns_rdata_freestruct could be called on a
-			uninitialised structure when handling a error.
+			uninitialized structure when handling a error.
 			[RT #38568]
 
 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
--- a/external/bsd/bind/dist/README	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/README	Thu Dec 17 04:00:21 2015 +0000
@@ -51,28 +51,48 @@
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.10.2-P4
+BIND 9.10.3-P2
 
-	BIND 9.10.2-P4 is a security release addressing the flaws
-	described in CVE-2015-5722 and CVE-2015-5986.
+	BIND 9.10.3-P2 is a security release addressing the flaws
+	described in CVE-2015-3193 (OpenSSL), CVE-2015-8000 and
+	CVE-2015-8461.
+
+BIND 9.10.3-P1
 
-BIND 9.10.2-P3
+	BIND 9.10.3-P1 was incomplete and was withdrawn prior to
+	publication.
+
+BIND 9.10.3
 
-	BIND 9.10.2-P3 is a security release addressing the flaw
-	described in CVE-2015-5477.
+	BIND 9.10.3 is a maintenance release and addresses bugs
+	found in BIND 9.10.2 and earlier, as well as the security
+	flaws described in CVE-2015-4620, CVE-2015-5477,
+	CVE-2015-5722, and CVE-2015-5986.
+
+	It also makes the following new features available:
 
-BIND 9.10.2-P2
-
-	BIND 9.10.2-P2 is a security release addressing the flaw
-	described in CVE-2015-4620.
+	- New "fetchlimit" quotas are now available for the use of
+	  recursive resolvers that are are under high query load for
+	  domains whose authoritative servers are nonresponsive or are
+	  experiencing a denial of service attack.
 
-BIND 9.10.2-P1
+	  + "fetches-per-server" limits the number of simultaneous queries
+	    that can be sent to any single authoritative server.  The
+	    configured value is a starting point; it is automatically
+	    adjusted downward if the server is partially or completely
+	    non-responsive. The algorithm used to adjust the quota can be
+	    configured via the "fetch-quota-params" option.
+	  + "fetches-per-zone" limits the number of simultaneous queries
+	    that can be sent for names within a single domain.  (Note:
+	    Unlike "fetches-per-server", this value is not self-tuning.)
+	  + New stats counters have been added to count
+	    queries spilled due to these quotas.
 
-        BIND 9.10.2-P1 is a patch release addressing several
-        bugs recently found in the response-policy zones (RPZ)
-        implementation in BIND 9.10.  These mostly affect servers
-        that have multiple frequently-updated response-policy
-        zones.
+	  NOTE: These features are NOT built in by default; use
+	  "configure --enable-fetchlimit" to enable them.
+
+	- Dig now supports sending of arbitary EDNS options by specifying
+	  them on the command line.
 
 BIND 9.10.2
 
--- a/external/bsd/bind/dist/bin/check/check-tool.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/check/check-tool.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: check-tool.c,v 1.7 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: check-tool.c,v 1.8 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -35,6 +35,7 @@
 #include <isc/mem.h>
 #include <isc/netdb.h>
 #include <isc/net.h>
+#include <isc/print.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkconf.c,v 1.11 2015/07/08 17:28:54 christos Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.12 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -33,6 +33,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
--- a/external/bsd/bind/dist/bin/check/named-checkzone.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkzone.c,v 1.7 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: named-checkzone.c,v 1.8 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -32,6 +32,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/socket.h>
 #include <isc/string.h>
 #include <isc/task.h>
--- a/external/bsd/bind/dist/bin/confgen/keygen.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/confgen/keygen.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: keygen.c,v 1.6 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: keygen.c,v 1.7 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,6 +31,7 @@
 #include <isc/file.h>
 #include <isc/keyboard.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 
--- a/external/bsd/bind/dist/bin/confgen/util.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/confgen/util.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: util.c,v 1.4 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: util.c,v 1.5 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -27,6 +27,7 @@
 #include <stdio.h>
 
 #include <isc/boolean.h>
+#include <isc/print.h>
 
 #include "util.h"
 
--- a/external/bsd/bind/dist/bin/dig/dig.1	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.1	Thu Dec 17 04:00:21 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dig.1,v 1.10 2015/07/08 17:28:54 christos Exp $
+.\"	$NetBSD: dig.1,v 1.11 2015/12/17 04:00:40 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -132,77 +132,97 @@
 .RE
 .SH "OPTIONS"
 .PP
-The
-\fB\-b\fR
-option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+\-4
+.RS 4
+Use IPv4 only.
+.RE
+.PP
+\-6
+.RS 4
+Use IPv6 only.
+.RE
 .PP
-The default query class (IN for internet) is overridden by the
-\fB\-c\fR
-option.
+\-b \fIaddress\fR\fI[#port]\fR
+.RS 4
+Set the source IP address of the query. The
+\fIaddress\fR
+must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Set the query class. The default
 \fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
+is IN; other classes are HS for Hesiod records or CH for Chaosnet records.
+.RE
 .PP
-The
-\fB\-f\fR
-option makes
-\fBdig \fR
-operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
+\-f \fIfile\fR
+.RS 4
+Batch mode:
+\fBdig\fR
+reads a list of lookup requests to process from the given
+\fIfile\fR. Each line in the file should be organized in the same way they would be presented as queries to
 \fBdig\fR
 using the command\-line interface.
+.RE
 .PP
-The
-\fB\-m\fR
-option enables memory usage debugging.
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted.
+.RE
 .PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
+\-k \fIkeyfile\fR
+.RS 4
+Sign queries using TSIG using a key read from the given file. Key files can be generated using
+\fBtsig\-keygen\fR(8). When using TSIG authentication with
+\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
+\fBkey\fR
+and
+\fBserver\fR
+statements in
+\fInamed.conf\fR.
+.RE
 .PP
-The
-\fB\-4\fR
-option forces
-\fBdig\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBdig\fR
-to only use IPv6 query transport.
+\-m
+.RS 4
+Enable memory usage debugging.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Send the query to a non\-standard port on the server, instead of the defaut port 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
+.RE
 .PP
-The
-\fB\-t\fR
-option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
+\-q \fIname\fR
+.RS 4
+The domain name to query. This is useful to distinguish the
+\fIname\fR
+from other arguments.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
 \fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
+option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the
 \fItype\fR
-is set to
+to
 ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
 \fIN\fR.
+.RE
 .PP
-The
-\fB\-q\fR
-option sets the query name to
-\fIname\fR. This is useful to distinguish the
-\fIname\fR
-from other arguments.
+\-v
+.RS 4
+Print the version number and exit.
+.RE
 .PP
-The
-\fB\-v\fR
-causes
-\fBdig\fR
-to print the version number and exit.
-.PP
-Reverse lookups \(em mapping addresses to names \(em are simplified by the
+\-x \fIaddr\fR
+.RS 4
+Simplified reverse lookups, for mapping addresses to names. The
+\fIaddr\fR
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When the
 \fB\-x\fR
-option.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
+is used, there is no need to provide the
 \fIname\fR,
 \fIclass\fR
 and
@@ -210,35 +230,41 @@
 arguments.
 \fBdig\fR
 automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
+94.2.0.192.in\-addr.arpa
+and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain (but see also the
 \fB\-i\fR
-option. Bit string labels (RFC2874) are now experimental and are not attempted.
+option).
+.RE
 .PP
-To sign the DNS queries sent by
-\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG key file using the
-\fB\-k\fR
-option. You can also specify the TSIG key itself on the command line using the
-\fB\-y\fR
-option;
+\-y \fI[hmac:]\fR\fIkeyname:secret\fR
+.RS 4
+Sign queries using TSIG with the given authentication key.
+\fIkeyname\fR
+is the name of the key, and
+\fIsecret\fR
+is the base64 encoded shared secret.
 \fIhmac\fR
-is the type of the TSIG, default HMAC\-MD5,
-\fIname\fR
-is the name of the TSIG key and
-\fIkey\fR
-is the actual key. The key is a base\-64 encoded string, typically generated by
-\fBdnssec\-keygen\fR(8). Caution should be taken when using the
+is the name of the key algorithm; valid choices are
+hmac\-md5,
+hmac\-sha1,
+hmac\-sha224,
+hmac\-sha256,
+hmac\-sha384, or
+hmac\-sha512. If
+\fIhmac\fR
+is not specified, the default is
+hmac\-md5.
+.sp
+NOTE: You should use the
+\fB\-k\fR
+option and avoid the
 \fB\-y\fR
-option on multi\-user systems as the key can be visible in the output from
+option, because with
+\fB\-y\fR
+the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
 \fBps\fR(1)
-or in the shell's history file. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
-\fInamed.conf\fR.
+or in a history file maintained by the user's shell.
+.RE
 .SH "QUERY OPTIONS"
 .PP
 \fBdig\fR
@@ -247,7 +273,10 @@
 Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
+\fB+keyword=value\fR. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
++cd
+is equivalent to
++cdflag. The query options are:
 .PP
 \fB+[no]aaflag\fR
 .RS 4
@@ -302,7 +331,7 @@
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
 .RE
 .PP
-\fB+[no]cl\fR
+\fB+[no]class\fR
 .RS 4
 Display [do not display] the CLASS when printing the record.
 .RE
@@ -353,6 +382,27 @@
 clears the remembered EDNS version. EDNS is set to 0 by default.
 .RE
 .PP
+\fB+[no]ednsflags[=#]\fR
+.RS 4
+Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set.
+.RE
+.PP
+\fB+[no]ednsnegotiation\fR
+.RS 4
+Enable / disable EDNS version negotiation. By default EDNS version negotiation is enabled.
+.RE
+.PP
+\fB+[no]ednsopt[=code[:value]]\fR
+.RS 4
+Specify EDNS option with code point
+\fBcode\fR
+and optionally payload of
+\fBvalue\fR
+as a hexadecimal string.
+\fB+noednsopt\fR
+clears the EDNS options to to be sent.
+.RE
+.PP
 \fB+[no]expire\fR
 .RS 4
 Send an EDNS Expire option.
@@ -423,6 +473,11 @@
 Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
 .RE
 .PP
+\fB+[no]opcode=value\fR
+.RS 4
+Set [restore] the DNS message opcode to the specified value. The default value is QUERY (0).
+.RE
+.PP
 \fB+[no]qr\fR
 .RS 4
 Print [do not print] the query as it is sent. By default, the query is not printed.
@@ -433,6 +488,12 @@
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
 .RE
 .PP
+\fB+[no]rdflag\fR
+.RS 4
+A synonym for
+\fI+[no]recurse\fR.
+.RE
+.PP
 \fB+[no]recurse\fR
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
@@ -541,6 +602,8 @@
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
 .sp
+If @server is also specified, it affects only the initial query for the root zone name servers.
+.sp
 \fB+dnssec\fR
 is also set when +trace is set to better emulate the default queries from a nameserver.
 .RE
@@ -643,7 +706,7 @@
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/dig.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dig.c,v 1.10 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: dig.c,v 1.11 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,8 +31,8 @@
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
-#include <isc/task.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
@@ -118,21 +118,18 @@
 };
 
 /*% safe rcodetext[] */
-static char *
+static const char *
 rcode_totext(dns_rcode_t rcode)
 {
 	static char buf[sizeof("?65535")];
-	union {
-		const char *consttext;
-		char *deconsttext;
-	} totext;
 
 	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
 		snprintf(buf, sizeof(buf), "?%u", rcode);
-		totext.deconsttext = buf;
-	} else
-		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
+		return (buf);
+	} else if (rcode == dns_rcode_badcookie)
+		return ("BADCOOKIE");
+	else
+		return (rcodetext[rcode]);
 }
 
 /*% print usage */
@@ -171,79 +168,88 @@
 "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
 "                 (Use ixfr=version for type ixfr)\n"
 "        q-opt    is one of:\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
+"                 -c class            (specify query class)\n"
+"                 -f filename         (batch mode)\n"
 "                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
-"                 -f filename         (batch mode)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
+"                 -k keyfile          (specify tsig key file)\n"
+"                 -m                  (enable memory usage debugging)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
 "                 -u                  (display times in usec instead of msec)\n"
-"                 -k keyfile          (specify tsig key file)\n"
+"                 -x dot-notation     (shortcut for reverse lookups)\n"
 "                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -m                  (enable memory usage debugging)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
-"                 +[no]vc             (TCP mode)\n"
-"                 +[no]tcp            (TCP mode, alternate syntax)\n"
-"                 +time=###           (Set query timeout) [5]\n"
-"                 +tries=###          (Set number of UDP attempts) [3]\n"
-"                 +retry=###          (Set number of UDP retries) [2]\n"
-"                 +domain=###         (Set default domainname)\n"
+"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
+"                 +[no]additional     (Control display of additional section)\n"
+"                 +[no]adflag         (Set AD flag in query (default on))\n"
+"                 +[no]all            (Set or clear all display flags)\n"
+"                 +[no]answer         (Control display of answer section)\n"
+"                 +[no]authority      (Control display of authority section)\n"
+"                 +[no]besteffort     (Try to parse even illegal messages)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
-"                 +ndots=###          (Set NDOTS value)\n"
-"                 +subnet=addr        (Set edns-client-subnet option)\n"
-"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
-"                 +[no]search         (Set whether to use searchlist)\n"
-"                 +[no]showsearch     (Search with intermediate results)\n"
-"                 +[no]defname        (Ditto)\n"
-"                 +[no]recurse        (Recursive mode)\n"
-"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
-"\n"
-"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
-"                 +[no]besteffort     (Try to parse even illegal messages)\n"
-"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
-"                 +[no]adflag         (Set AD flag in query)\n"
-"                 +[no]cdflag         (Set CD flag in query)\n"
+"                 +[no]cdflag         (Set checking disabled flag in query)\n"
 "                 +[no]cl             (Control display of class in records)\n"
 "                 +[no]cmd            (Control display of command line)\n"
 "                 +[no]comments       (Control display of comment lines)\n"
-"                 +[no]rrcomments     (Control display of per-record "
-				       "comments)\n"
 "                 +[no]crypto         (Control display of cryptographic "
 				       "fields in records)\n"
-"                 +[no]question       (Control display of question)\n"
-"                 +[no]answer         (Control display of answer)\n"
-"                 +[no]authority      (Control display of authority)\n"
-"                 +[no]additional     (Control display of additional)\n"
-"                 +[no]stats          (Control display of statistics)\n"
-"                 +[no]short          (Disable everything except short\n"
+"                 +[no]defname        (Use search list (+[no]search))\n"
+"                 +[no]dnssec         (Request DNSSEC records)\n"
+"                 +domain=###         (Set default domainname)\n"
+"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
+"                 +ednsflags=###      (Set EDNS flag bits)\n"
+"                 +[no]ednsnegotiation (Set EDNS version negotiation)\n"
+"                 +ednsopt=###[:value] (Send specified EDNS option)\n"
+"                 +noednsopt          (Clear list of +ednsopt options)\n"
+"                 +[no]expire         (Request time to expire)\n"
+"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
+"                 +[no]identify       (ID responders in short answers)\n"
+"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
+"\n"
+"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
+"                 +[no]multiline      (Print records in an expanded format)\n"
+"                 +ndots=###          (Set search NDOTS value)\n"
+"                 +[no]nsid           (Request Name Server ID)\n"
+"                 +[no]nssearch       (Search all authoritative nameservers)\n"
+"                 +[no]onesoa         (AXFR prints only one soa record)\n"
+"                 +[no]opcode=[###]   (Set the opcode of the request)\n"
+"                 +[no]qr             (Print question before sending)\n"
+"                 +[no]question       (Control display of question section)\n"
+"                 +[no]recurse        (Recursive mode)\n"
+"                 +retry=###          (Set number of UDP retries) [2]\n"
+"                 +[no]rrcomments     (Control display of per-record "
+				       "comments)\n"
+"                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]short          (Display nothing except short\n"
 "                                      form of answer)\n"
-"                 +[no]ttlid          (Control display of ttls in records)\n"
-"                 +[no]all            (Set or clear all display flags)\n"
-"                 +[no]qr             (Print question before sending)\n"
-"                 +[no]nssearch       (Search all authoritative nameservers)\n"
-"                 +[no]identify       (ID responders in short answers)\n"
-"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
-"                 +[no]dnssec         (Request DNSSEC records)\n"
-"                 +[no]expire         (Request time to expire)\n"
-"                 +[no]nsid           (Request Name Server ID)\n"
+"                 +[no]showsearch     (Search with intermediate results)\n"
+#ifdef DIG_SIGCHASE
+"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
+#endif
 #ifdef ISC_PLATFORM_USESIT
 "                 +[no]sit            (Request a Source Identity Token)\n"
 #endif
+"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
+"                 +[no]stats          (Control display of statistics)\n"
+"                 +subnet=addr        (Set edns-client-subnet option)\n"
+"                 +[no]tcp            (TCP mode (+[no]vc))\n"
+"                 +time=###           (Set query timeout) [5]\n"
 #ifdef DIG_SIGCHASE
-"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
-"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
 #if DIG_SIGCHASE_TD
 "                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
 #endif
 #endif
-"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
-"                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]onesoa         (AXFR prints only one soa record)\n"
-"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
+"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
+"                 +tries=###          (Set number of UDP attempts) [3]\n"
+#ifdef DIG_SIGCHASE
+"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#endif
+"                 +[no]ttlid          (Control display of ttls in records)\n"
+"                 +[no]vc             (TCP mode (+[no]tcp))\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
 "        -h                           (print help and exit)\n"
@@ -340,9 +346,12 @@
 		ADD_STRING(buf, " ");
 	}
 
+	if (rrcomments)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
 	if (nocrypto)
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, 60, " ", buf);
+	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0,
+				     splitwidth, " ", buf);
 	if (result == ISC_R_NOSPACE)
 		return (result);
 	check_result(result, "dns_rdata_totext");
@@ -752,7 +761,7 @@
 {
 	isc_result_t result;
 	char option_store[256];
-	char *cmd, *value, *ptr;
+	char *cmd, *value, *ptr, *code;
 	isc_uint32_t num;
 	isc_boolean_t state = ISC_TRUE;
 #if defined(DIG_SIGCHASE) || defined(ISC_PLATFORM_USESIT)
@@ -867,8 +876,9 @@
 				goto invalid_option;
 			}
 			break;
-		case 'l': /* cl */
-			FULLCHECK("cl");
+		case 'l': /* class */
+			/* keep +cl for backwards compatibility */
+			FULLCHECK2("cl", "class");
 			noclass = ISC_TF(!state);
 			break;
 		case 'm': /* cmd */
@@ -919,19 +929,77 @@
 	case 'e':
 		switch (cmd[1]) {
 		case 'd':
-			FULLCHECK("edns");
-			if (!state) {
-				lookup->edns = -1;
+			switch(cmd[2]) {
+			case 'n':
+				switch (cmd[3]) {
+				case 's':
+					switch (cmd[4]) {
+					case 0:
+						FULLCHECK("edns");
+						if (!state) {
+							lookup->edns = -1;
+							break;
+						}
+						if (value == NULL) {
+							lookup->edns = 0;
+							break;
+						}
+						result = parse_uint(&num,
+								    value,
+								    255,
+								    "edns");
+						if (result != ISC_R_SUCCESS)
+							fatal("Couldn't parse "
+							      "edns");
+						lookup->edns = num;
+						break;
+					case 'f':
+						FULLCHECK("ednsflags");
+						if (!state) {
+							lookup->ednsflags = 0;
+							break;
+						}
+						if (value == NULL) {
+							lookup->ednsflags = 0;
+							break;
+						}
+						result = parse_xint(&num,
+								    value,
+								    0xffff,
+								  "ednsflags");
+						if (result != ISC_R_SUCCESS)
+							fatal("Couldn't parse "
+							      "ednsflags");
+						lookup->ednsflags = num;
+						break;
+					case 'n':
+						FULLCHECK("ednsnegotiation");
+						lookup->ednsneg = state;
+						break;
+					case 'o':
+						FULLCHECK("ednsopt");
+						if (!state) {
+							lookup->ednsoptscnt = 0;
+							break;
+						}
+						if (value == NULL)
+							fatal("ednsopt no "
+							      "code point "
+							      "specified");
+						code = next_token(&value, ":");
+						save_opt(lookup, code, value);
+						break;
+					default:
+						goto invalid_option;
+					}
+					break;
+				default:
+					goto invalid_option;
+				}
 				break;
+			default:
+				goto invalid_option;
 			}
-			if (value == NULL) {
-				lookup->edns = 0;
-				break;
-			}
-			result = parse_uint(&num, value, 255, "edns");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse edns");
-			lookup->edns = num;
 			break;
 		case 'x':
 			FULLCHECK("expire");
@@ -1013,8 +1081,37 @@
 		}
 		break;
 	case 'o':
-		FULLCHECK("onesoa");
-		onesoa = state;
+		switch (cmd[1]) {
+		case 'n':
+			FULLCHECK("onesoa");
+			onesoa = state;
+			break;
+		case 'p':
+			FULLCHECK("opcode");
+			if (!state) {
+				lookup->opcode = 0;	/* default - query */
+				break;
+			}
+			if (value == NULL)
+				goto need_value;
+			for (num = 0;
+			     num < sizeof(opcodetext)/sizeof(opcodetext[0]);
+			     num++) {
+				if (strcasecmp(opcodetext[num], value) == 0)
+					break;
+			}
+			if (num < 16) {
+				lookup->opcode = (dns_opcode_t)num;
+				break;
+			}
+			result = parse_uint(&num, value, 15, "opcode");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse opcode");
+			lookup->opcode = (dns_opcode_t)num;
+			break;
+		default:
+			goto invalid_option;
+		}
 		break;
 	case 'q':
 		switch (cmd[1]) {
@@ -1034,6 +1131,10 @@
 		break;
 	case 'r':
 		switch (cmd[1]) {
+		case 'd': /* rdflag */
+			FULLCHECK("rdflag");
+			lookup->recurse = state;
+			break;
 		case 'e':
 			switch (cmd[2]) {
 			case 'c': /* recurse */
--- a/external/bsd/bind/dist/bin/dig/dighost.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dighost.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dighost.c,v 1.15 2015/07/08 17:28:54 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.16 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -86,6 +86,7 @@
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/result.h>
+#include <isc/safe.h>
 #include <isc/serial.h>
 #include <isc/sockaddr.h>
 #include <isc/string.h>
@@ -152,6 +153,10 @@
 int tries = 3;
 int lookup_counter = 0;
 
+#ifdef ISC_PLATFORM_USESIT
+static char sitvalue[256];
+#endif
+
 #ifdef WITH_IDN
 static void		initialize_idn(void);
 static isc_result_t	output_filter(isc_buffer_t *buffer,
@@ -201,7 +206,7 @@
 
 #ifdef DIG_SIGCHASE
 
-isc_result_t	  get_trusted_key(isc_mem_t *mctx);
+isc_result_t	  get_trusted_key(void);
 dns_rdataset_t *  sigchase_scanname(dns_rdatatype_t type,
 				    dns_rdatatype_t covers,
 				    isc_boolean_t *lookedup,
@@ -219,32 +224,26 @@
 isc_result_t	  sigchase_verify_sig_key(dns_name_t *name,
 					  dns_rdataset_t *rdataset,
 					  dst_key_t* dnsseckey,
-					  dns_rdataset_t *sigrdataset,
-					  isc_mem_t *mctx);
+					  dns_rdataset_t *sigrdataset);
 isc_result_t	  sigchase_verify_sig(dns_name_t *name,
 				      dns_rdataset_t *rdataset,
 				      dns_rdataset_t *keyrdataset,
-				      dns_rdataset_t *sigrdataset,
-				      isc_mem_t *mctx);
+				      dns_rdataset_t *sigrdataset);
 isc_result_t	  sigchase_verify_ds(dns_name_t *name,
 				     dns_rdataset_t *keyrdataset,
-				     dns_rdataset_t *dsrdataset,
-				     isc_mem_t *mctx);
+				     dns_rdataset_t *dsrdataset);
 void		  sigchase(dns_message_t *msg);
 void		  print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
-void		  print_rdataset(dns_name_t *name,
-				 dns_rdataset_t *rdataset, isc_mem_t *mctx);
-void		  dup_name(dns_name_t *source, dns_name_t* target,
-			   isc_mem_t *mctx);
-void		  free_name(dns_name_t *name, isc_mem_t *mctx);
+void		  print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset);
+void		  dup_name(dns_name_t *source, dns_name_t* target);
+void		  free_name(dns_name_t *name);
 void		  dump_database(void);
 void		  dump_database_section(dns_message_t *msg, int section);
 dns_rdataset_t *  search_type(dns_name_t *name, dns_rdatatype_t type,
 			      dns_rdatatype_t covers);
 isc_result_t	  contains_trusted_key(dns_name_t *name,
 				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset,
-				       isc_mem_t *mctx);
+				       dns_rdataset_t *sigrdataset);
 void		  print_type(dns_rdatatype_t type);
 isc_result_t	  prove_nx_domain(dns_message_t * msg,
 				  dns_name_t * name,
@@ -266,7 +265,7 @@
 			   dns_rdataset_t ** sigrdataset);
 static void	  nameFromString(const char *str, dns_name_t *p_ret);
 int		  inf_name(dns_name_t * name1, dns_name_t * name2);
-isc_result_t	  removetmpkey(isc_mem_t *mctx, const char *file);
+isc_result_t	  removetmpkey(const char *file);
 void		  clean_trustedkey(void);
 isc_result_t 	  insert_trustedkey(void *arg, dns_name_t *name,
 				    dns_rdataset_t *rdataset);
@@ -786,6 +785,8 @@
 	looknew->servfail_stops = ISC_TRUE;
 	looknew->besteffort = ISC_TRUE;
 	looknew->dnssec = ISC_FALSE;
+	looknew->ednsflags = 0;
+	looknew->opcode = dns_opcode_query;
 	looknew->expire = ISC_FALSE;
 	looknew->nsid = ISC_FALSE;
 #ifdef ISC_PLATFORM_USESIT
@@ -831,6 +832,9 @@
 #ifdef ISC_PLATFORM_USESIT
 	looknew->sitvalue = NULL;
 #endif
+	looknew->ednsopts = NULL;
+	looknew->ednsoptscnt = 0;
+	looknew->ednsneg = ISC_FALSE;
 	dns_fixedname_init(&looknew->fdomain);
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
@@ -877,12 +881,17 @@
 	looknew->servfail_stops = lookold->servfail_stops;
 	looknew->besteffort = lookold->besteffort;
 	looknew->dnssec = lookold->dnssec;
+	looknew->ednsflags = lookold->ednsflags;
+	looknew->opcode = lookold->opcode;
 	looknew->expire = lookold->expire;
 	looknew->nsid = lookold->nsid;
 #ifdef ISC_PLATFORM_USESIT
 	looknew->sit = lookold->sit;
 	looknew->sitvalue = lookold->sitvalue;
 #endif
+	looknew->ednsopts = lookold->ednsopts;
+	looknew->ednsoptscnt = lookold->ednsoptscnt;
+	looknew->ednsneg = lookold->ednsneg;
 #ifdef DIG_SIGCHASE
 	looknew->sigchase = lookold->sigchase;
 #if DIG_SIGCHASE_TD
@@ -918,6 +927,8 @@
 	if (lookold->ecs_addr != NULL) {
 		size_t len = sizeof(isc_sockaddr_t);
 		looknew->ecs_addr = isc_mem_allocate(mctx, len);
+		if (looknew->ecs_addr == NULL)
+			fatal("out of memory");
 		memmove(looknew->ecs_addr, lookold->ecs_addr, len);
 	}
 
@@ -1010,11 +1021,11 @@
 	isc_buffer_free(&namebuf);
 }
 
-isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
+static isc_result_t
+parse_uint_helper(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+		  const char *desc, int base) {
 	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	isc_result_t result = isc_parse_uint32(&n, value, base);
 	if (result == ISC_R_SUCCESS && n > max)
 		result = ISC_R_RANGE;
 	if (result != ISC_R_SUCCESS) {
@@ -1026,6 +1037,18 @@
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 10));
+}
+
+isc_result_t
+parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 0));
+}
+
 static isc_uint32_t
 parse_bits(char *arg, const char *desc, isc_uint32_t max) {
 	isc_result_t result;
@@ -1059,6 +1082,8 @@
 	}
 
 	sa = isc_mem_allocate(mctx, sizeof(*sa));
+	if (sa == NULL)
+		fatal("out of memory");
 	if (inet_pton(AF_INET6, value, &in6) == 1) {
 		isc_sockaddr_fromin6(sa, &in6, 0);
 		parsed = ISC_TRUE;
@@ -1486,6 +1511,45 @@
 	check_result(result, "isc_mutex_init");
 }
 
+#define EDNSOPTS 100U
+static dns_ednsopt_t ednsopts[EDNSOPTS];
+static unsigned char ednsoptscnt = 0;
+
+void
+save_opt(dig_lookup_t *lookup, char *code, char *value) {
+	isc_uint32_t num;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	if (ednsoptscnt == EDNSOPTS)
+		fatal("too many ednsopts");
+
+	result = parse_uint(&num, code, 65535, "ednsopt");
+	if (result != ISC_R_SUCCESS)
+		fatal("bad edns code point: %s", code);
+
+	ednsopts[ednsoptscnt].code = num;
+	ednsopts[ednsoptscnt].length = 0;
+	ednsopts[ednsoptscnt].value = NULL;
+
+	if (value != NULL) {
+		char *buf;
+		buf = isc_mem_allocate(mctx, strlen(value)/2 + 1);
+		if (buf == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, buf, strlen(value)/2 + 1);
+		result = isc_hex_decodestring(value, &b);
+		check_result(result, "isc_hex_decodestring");
+		ednsopts[ednsoptscnt].value = isc_buffer_base(&b);
+		ednsopts[ednsoptscnt].length = isc_buffer_usedlength(&b);
+	}
+
+	if (lookup->ednsoptscnt == 0)
+		lookup->ednsopts = &ednsopts[ednsoptscnt];
+	lookup->ednsoptscnt++;
+	ednsoptscnt++;
+}
+
 /*%
  * Add EDNS0 option record to a message.  Currently, the only supported
  * options are UDP buffer size, the DO bit, and EDNS options
@@ -1493,15 +1557,12 @@
  */
 static void
 add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
-	isc_boolean_t dnssec, dns_ednsopt_t *opts, size_t count)
+	unsigned int flags, dns_ednsopt_t *opts, size_t count)
 {
 	dns_rdataset_t *rdataset = NULL;
 	isc_result_t result;
-	unsigned int flags = 0;
 
 	debug("add_opt()");
-	if (dnssec)
-		flags |= DNS_MESSAGEEXTFLAG_DO;
 	result = dns_message_buildopt(msg, &rdataset, edns, udpsize, flags,
 				      opts, count);
 	check_result(result, "dns_message_buildopt");
@@ -1695,7 +1756,7 @@
 #if DIG_SIGCHASE_TD
 		if (current_lookup->do_topdown &&
 		    !current_lookup->rdtype_sigchaseset) {
-			dst_key_t *trustedkey = NULL;
+			dst_key_t *dstkey = NULL;
 			isc_buffer_t *b = NULL;
 			isc_region_t r;
 			isc_result_t result;
@@ -1703,7 +1764,7 @@
 			dns_name_t *key_name;
 			int i;
 
-			result = get_trusted_key(mctx);
+			result = get_trusted_key();
 			if (result != ISC_R_SUCCESS) {
 				printf("\n;; No trusted key, "
 				       "+sigchase option is disabled\n");
@@ -1718,22 +1779,22 @@
 
 				if (dns_name_issubdomain(&query_name,
 							 key_name) == ISC_TRUE)
-					trustedkey = tk_list.key[i];
+					dstkey = tk_list.key[i];
 				/*
 				 * Verify temp is really the lowest
 				 * WARNING
 				 */
 			}
-			if (trustedkey == NULL) {
+			if (dstkey == NULL) {
 				printf("\n;; The queried zone: ");
 				dns_name_print(&query_name, stdout);
 				printf(" isn't a subdomain of any Trusted Keys"
 				       ": +sigchase option is disable\n");
 				current_lookup->sigchase = ISC_FALSE;
-				free_name(&query_name, mctx);
+				free_name(&query_name);
 				goto novalidation;
 			}
-			free_name(&query_name, mctx);
+			free_name(&query_name);
 
 			current_lookup->rdtype_sigchase
 				= current_lookup->rdtype;
@@ -1758,7 +1819,7 @@
 
 			result = isc_buffer_allocate(mctx, &b, BUFSIZE);
 			check_result(result, "isc_buffer_allocate");
-			result = dns_name_totext(dst_key_name(trustedkey),
+			result = dns_name_totext(dst_key_name(dstkey),
 						 ISC_FALSE, b);
 			check_result(result, "dns_name_totext");
 			isc_buffer_usedregion(b, &r);
@@ -2078,9 +2139,6 @@
 	dns_rdatalist_init(rdatalist);
 	rdatalist->type = dns_rdatatype_soa;
 	rdatalist->rdclass = lookup->rdclass;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 
 	dns_rdatalist_tordataset(rdatalist, rdataset);
@@ -2307,7 +2365,7 @@
 
 	isc_random_get(&id);
 	lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
-	lookup->sendmsg->opcode = dns_opcode_query;
+	lookup->sendmsg->opcode = lookup->opcode;
 	lookup->msgcounter = 0;
 	/*
 	 * If this is a trace request, completely disallow recursion, since
@@ -2391,7 +2449,8 @@
 	if (lookup->udpsize > 0 || lookup->dnssec ||
 	    lookup->edns > -1 || lookup->ecs_addr != NULL)
 	{
-		dns_ednsopt_t opts[DNS_EDNSOPTIONS];
+		dns_ednsopt_t opts[EDNSOPTS + DNS_EDNSOPTIONS];
+		unsigned int flags;
 		int i = 0;
 
 		if (lookup->udpsize == 0)
@@ -2412,13 +2471,19 @@
 			struct sockaddr *sa;
 			struct sockaddr_in *sin;
 			struct sockaddr_in6 *sin6;
+			const isc_uint8_t *addr;
 			size_t addrl;
+			isc_uint8_t mask;
 
 			sa = &lookup->ecs_addr->type.sa;
 			prefixlen = lookup->ecs_addr->length;
 
 			/* Round up prefix len to a multiple of 8 */
 			addrl = (prefixlen + 7) / 8;
+			if (prefixlen % 8 == 0)
+				mask = 0xff;
+			else
+				mask = 0xffU << (8 - (prefixlen % 8));
 
 			INSIST(i < DNS_EDNSOPTIONS);
 			opts[i].code = DNS_OPT_CLIENT_SUBNET;
@@ -2427,20 +2492,36 @@
 			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
 			if (sa->sa_family == AF_INET) {
 				sin = (struct sockaddr_in *) sa;
+				addr = (isc_uint8_t *) &sin->sin_addr;
+				/* family */
 				isc_buffer_putuint16(&b, 1);
+				/* source prefix-length */
 				isc_buffer_putuint8(&b, prefixlen);
+				/* scope prefix-length */
 				isc_buffer_putuint8(&b, 0);
-				isc_buffer_putmem(&b,
-					  (isc_uint8_t *) &sin->sin_addr,
-					  (unsigned int) addrl);
+				/* address */
+				if (addrl > 0) {
+					isc_buffer_putmem(&b, addr, addrl - 1);
+					isc_buffer_putuint8(&b,
+							    (addr[addrl - 1] &
+							     mask));
+				}
 			} else {
 				sin6 = (struct sockaddr_in6 *) sa;
+				addr = (isc_uint8_t *) &sin6->sin6_addr;
+				/* family */
 				isc_buffer_putuint16(&b, 2);
+				/* source prefix-length */
 				isc_buffer_putuint8(&b, prefixlen);
+				/* scope prefix-length */
 				isc_buffer_putuint8(&b, 0);
-				isc_buffer_putmem(&b,
-					  (isc_uint8_t *) &sin6->sin6_addr,
-					  (unsigned int) addrl);
+				/* address */
+				if (addrl > 0) {
+					isc_buffer_putmem(&b, addr, addrl - 1);
+					isc_buffer_putuint8(&b,
+							    (addr[addrl - 1] &
+							     mask));
+				}
 			}
 
 			opts[i].value = (isc_uint8_t *) ecsbuf;
@@ -2450,7 +2531,7 @@
 #ifdef ISC_PLATFORM_USESIT
 		if (lookup->sit) {
 			INSIST(i < DNS_EDNSOPTIONS);
-			opts[i].code = DNS_OPT_SIT;
+			opts[i].code = DNS_OPT_COOKIE;
 			if (lookup->sitvalue != NULL) {
 				isc_buffer_init(&b, sitbuf, sizeof(sitbuf));
 				result = isc_hex_decodestring(lookup->sitvalue,
@@ -2475,8 +2556,18 @@
 			i++;
 		}
 
+		if (lookup->ednsoptscnt != 0) {
+			memmove(&opts[i], lookup->ednsopts,
+				sizeof(dns_ednsopt_t) * lookup->ednsoptscnt);
+			i += lookup->ednsoptscnt;
+		}
+
+		flags = lookup->ednsflags;
+		flags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (lookup->dnssec)
+			flags |= DNS_MESSAGEEXTFLAG_DO;
 		add_opt(lookup->sendmsg, lookup->udpsize,
-			lookup->edns, lookup->dnssec, opts, i);
+			lookup->edns, flags, opts, i);
 	}
 
 	result = dns_message_rendersection(lookup->sendmsg,
@@ -3316,6 +3407,7 @@
 	isc_buffer_t hexbuf;
 	size_t len;
 	const unsigned char *sit;
+	isc_boolean_t copysit;
 	isc_result_t result;
 
 	if (l->sitvalue != NULL) {
@@ -3324,22 +3416,39 @@
 		check_result(result, "isc_hex_decodestring");
 		sit = isc_buffer_base(&hexbuf);
 		len = isc_buffer_usedlength(&hexbuf);
+		copysit = ISC_FALSE;
 	} else {
 		sit = cookie;
 		len = sizeof(cookie);
+		copysit = ISC_TRUE;
 	}
 
 	INSIST(msg->sitok == 0 && msg->sitbad == 0);
 	if (optlen >= len && optlen >= 8U) {
-		if (memcmp(isc_buffer_current(optbuf), sit, 8) == 0) {
+		if (isc_safe_memequal(isc_buffer_current(optbuf), sit, 8)) {
 			msg->sitok = 1;
 		} else {
 			printf(";; Warning: SIT client cookie mismatch\n");
 			msg->sitbad = 1;
+			copysit = ISC_FALSE;
 		}
 	} else {
 		printf(";; Warning: SIT bad token (too short)\n");
 		msg->sitbad = 1;
+		copysit = ISC_FALSE;
+	}
+	if (copysit) {
+		isc_region_t r;
+
+		r.base = isc_buffer_current(optbuf);
+		r.length = (unsigned int)optlen;
+		isc_buffer_init(&hexbuf, sitvalue, sizeof(sitvalue));
+		result = isc_hex_totext(&r, 2, "", &hexbuf);
+		check_result(result, "isc_hex_totext");
+		if (isc_buffer_availablelength(&hexbuf) > 0) {
+			isc_buffer_putuint8(&hexbuf, 0);
+			l->sitvalue = sitvalue;
+		}
 	}
 	isc_buffer_forward(optbuf, (unsigned int)optlen);
 }
@@ -3362,7 +3471,7 @@
 			optcode = isc_buffer_getuint16(&optbuf);
 			optlen = isc_buffer_getuint16(&optbuf);
 			switch (optcode) {
-			case DNS_OPT_SIT:
+			case DNS_OPT_COOKIE:
 				process_sit(l, msg, &optbuf, optlen);
 				break;
 			default:
@@ -3374,6 +3483,10 @@
 }
 #endif
 
+static int
+ednsvers(dns_rdataset_t *opt) {
+	return ((opt->ttl >> 16) & 0xff);
+}
 
 /*%
  * Event handler for recv complete.  Perform whatever actions are necessary,
@@ -3403,6 +3516,7 @@
 	isc_region_t r;
 	isc_buffer_t *buf = NULL;
 #endif
+	int newedns;
 
 	UNUSED(task);
 	INSIST(!free_now);
@@ -3634,8 +3748,31 @@
 				goto udp_mismatch;
 		}
 	}
+	if (msg->rcode == dns_rcode_badvers && msg->opt != NULL &&
+	    (newedns = ednsvers(msg->opt)) < l->edns && l->ednsneg) {
+		/*
+		 * Add minimum EDNS version required checks here if needed.
+		 */
+		if (l->comments)
+			printf(";; BADVERS, retrying with EDNS version %u.\n",
+			       newedns);
+		l->edns = newedns;
+		n = requeue_lookup(l, ISC_TRUE);
+		n->origin = query->lookup->origin;
+		dns_message_destroy(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
 	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
 	    !l->ignore && !l->tcp_mode) {
+#ifdef ISC_PLATFORM_USESIT
+		if (l->sitvalue == NULL && l->sit && msg->opt != NULL)
+			process_opt(l, msg);
+#endif
 		if (l->comments)
 			printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
@@ -3924,10 +4061,14 @@
 get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {
 	int count;
 	isc_result_t result;
-
-	isc_app_block();
+	isc_boolean_t is_running;
+
+	is_running = isc_app_isrunning();
+	if (is_running)
+		isc_app_block();
 	result = bind9_getaddresses(host, myport, sockaddr, 1, &count);
-	isc_app_unblock();
+	if (is_running)
+		isc_app_unblock();
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -4164,22 +4305,28 @@
 		isc_mem_free(mctx, ptr);
 	}
 	if (dns_name_dynamic(&chase_name))
-		free_name(&chase_name, mctx);
+		free_name(&chase_name);
 #if DIG_SIGCHASE_TD
 	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
+		free_name(&chase_current_name);
 	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
+		free_name(&chase_authority_name);
 #endif
 #if DIG_SIGCHASE_BU
 	if (dns_name_dynamic(&chase_signame))
-		free_name(&chase_signame, mctx);
+		free_name(&chase_signame);
 #endif
 
 #endif
 	debug("Removing log context");
 	isc_log_destroy(&lctx);
 
+	while (ednsoptscnt > 0U) {
+		ednsoptscnt--;
+		if (ednsopts[ednsoptscnt].value != NULL)
+			isc_mem_free(mctx, ednsopts[ednsoptscnt].value);
+	}
+
 	debug("Destroy memory");
 	if (memdebugging != 0)
 		isc_mem_stats(mctx, stderr);
@@ -4323,7 +4470,7 @@
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 			dns_name_print(msg_name, stdout);
 			printf("\n");
-			print_rdataset(msg_name, rdataset, mctx);
+			print_rdataset(msg_name, rdataset);
 			printf("end\n");
 		}
 		msg_name = NULL;
@@ -4503,7 +4650,7 @@
 insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset)
 {
 	isc_result_t result;
-	dst_key_t *key;
+	dst_key_t *dstkey;
 
 	UNUSED(arg);
 
@@ -4521,11 +4668,11 @@
 		isc_buffer_add(&b, rdata.length);
 		if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
 			return (ISC_R_SUCCESS);
-		key = NULL;
-		result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &key);
+		dstkey = NULL;
+		result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &dstkey);
 		if (result != ISC_R_SUCCESS)
 			continue;
-		tk_list.key[tk_list.nb_tk++] = key;
+		tk_list.key[tk_list.nb_tk++] = dstkey;
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -4550,7 +4697,7 @@
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
 isc_result_t
-removetmpkey(isc_mem_t *mctx, const char *file)
+removetmpkey(const char *file)
 {
 	char *tempnamekey = NULL;
 	int tempnamekeylen;
@@ -4574,8 +4721,7 @@
 }
 
 isc_result_t
-get_trusted_key(isc_mem_t *mctx)
-{
+get_trusted_key(void) {
 	isc_result_t result;
 	const char *filename = NULL;
 	dns_rdatacallbacks_t callbacks;
@@ -4626,7 +4772,7 @@
 	check_result(result, "nameFromString");
 
 	if (dns_name_dynamic(p_ret))
-		free_name(p_ret, mctx);
+		free_name(p_ret);
 
 	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
 	check_result(result, "nameFromString");
@@ -4675,7 +4821,6 @@
 #define __FOLLOW_GLUE__
 #ifdef __FOLLOW_GLUE__
 		isc_buffer_t *b = NULL;
-		isc_result_t result;
 		isc_region_t r;
 		dns_rdataset_t *rdataset = NULL;
 		isc_boolean_t true = ISC_TRUE;
@@ -4770,7 +4915,7 @@
 	printf(" for zone: %s", lookup->textname);
 	printf(" with nameservers:");
 	printf("\n");
-	print_rdataset(name, chase_nsrdataset, mctx);
+	print_rdataset(name, chase_nsrdataset);
 	return (ISC_R_SUCCESS);
 }
 
@@ -4853,14 +4998,14 @@
 	INSIST(chase_nsrdataset != NULL);
 	prepare_lookup(name);
 
-	dup_name(name, &chase_current_name, mctx);
+	dup_name(name, &chase_current_name);
 
 	return (ISC_R_SUCCESS);
 }
 #endif
 
 void
-print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
+print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset)
 {
 	isc_buffer_t *b = NULL;
 	isc_result_t result;
@@ -4882,17 +5027,17 @@
 
 
 void
-dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
+dup_name(dns_name_t *source, dns_name_t *target) {
 	isc_result_t result;
 
 	if (dns_name_dynamic(target))
-		free_name(target, mctx);
+		free_name(target);
 	result = dns_name_dup(source, mctx, target);
 	check_result(result, "dns_name_dup");
 }
 
 void
-free_name(dns_name_t *name, isc_mem_t *mctx) {
+free_name(dns_name_t *name) {
 	dns_name_free(name, mctx);
 	dns_name_init(name, NULL);
 }
@@ -4909,8 +5054,7 @@
  */
 isc_result_t
 contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
-		     dns_rdataset_t *sigrdataset,
-		     isc_mem_t *mctx)
+		     dns_rdataset_t *sigrdataset)
 {
 	dns_rdataset_t myrdataset;
 	dst_key_t *dnsseckey = NULL;
@@ -4946,8 +5090,7 @@
 				       dst_key_id(dnsseckey));
 				result = sigchase_verify_sig_key(name, rdataset,
 								 dnsseckey,
-								 sigrdataset,
-								 mctx);
+								 sigrdataset);
 				if (result == ISC_R_SUCCESS)
 					goto cleanup;
 			}
@@ -4955,19 +5098,20 @@
 		dst_key_free(&dnsseckey);
 	} while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
 
+	result = ISC_R_NOTFOUND;
+
 cleanup:
 	if (dnsseckey != NULL)
 		dst_key_free(&dnsseckey);
 	dns_rdataset_disassociate(&myrdataset);
 
-	return (ISC_R_NOTFOUND);
+	return (result);
 }
 
 isc_result_t
 sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
 		    dns_rdataset_t *keyrdataset,
-		    dns_rdataset_t *sigrdataset,
-		    isc_mem_t *mctx)
+		    dns_rdataset_t *sigrdataset)
 {
 	dns_rdataset_t mykeyrdataset;
 	dst_key_t *dnsseckey = NULL;
@@ -4990,7 +5134,7 @@
 		check_result(result, "dns_dnssec_keyfromrdata");
 
 		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
-						 sigrdataset, mctx);
+						 sigrdataset);
 		if (result == ISC_R_SUCCESS)
 			goto cleanup;
 		dst_key_free(&dnsseckey);
@@ -5008,8 +5152,7 @@
 
 isc_result_t
 sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
-			dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
-			isc_mem_t *mctx)
+			dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset)
 {
 	dns_rdata_sig_t siginfo;
 	dns_rdataset_t myrdataset;
@@ -5068,7 +5211,7 @@
 
 isc_result_t
 sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
-		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
+		   dns_rdataset_t *dsrdataset)
 {
 	dns_rdata_ds_t dsinfo;
 	dns_rdataset_t mydsrdataset;
@@ -5135,8 +5278,7 @@
 					result = sigchase_verify_sig_key(name,
 							 keyrdataset,
 							 dnsseckey,
-							 chase_sigkeyrdataset,
-							 mctx);
+							 chase_sigkeyrdataset);
 					if (result ==  ISC_R_SUCCESS)
 						goto cleanup;
 				} else {
@@ -5242,7 +5384,7 @@
 							 dns_rdatatype_ns,
 							 dns_rdatatype_any,
 							 DNS_SECTION_AUTHORITY);
-			dup_name(name, &chase_authority_name, mctx);
+			dup_name(name, &chase_authority_name);
 			if (chase_nsrdataset != NULL) {
 				have_delegation_ns = ISC_TRUE;
 				printf("no response but there is a delegation"
@@ -5260,7 +5402,7 @@
 		} else {
 			printf(";; NO ANSWERS: %s\n",
 			       isc_result_totext(result));
-			free_name(&chase_name, mctx);
+			free_name(&chase_name);
 			clean_trustedkey();
 			return;
 		}
@@ -5292,7 +5434,7 @@
 		return;
 	INSIST(chase_keyrdataset != NULL);
 	printf("\n;; DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
+	print_rdataset(&chase_current_name , chase_keyrdataset);
 
 
 	result = advanced_rrsearch(&chase_sigkeyrdataset,
@@ -5309,22 +5451,20 @@
 		return;
 	INSIST(chase_sigkeyrdataset != NULL);
 	printf("\n;; RRSIG of the DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
+	print_rdataset(&chase_current_name , chase_sigkeyrdataset);
 
 
 	if (!chase_dslookedup && !chase_nslookedup) {
 		if (!delegation_follow) {
 			result = contains_trusted_key(&chase_current_name,
 						      chase_keyrdataset,
-						      chase_sigkeyrdataset,
-						      mctx);
+						      chase_sigkeyrdataset);
 		} else {
 			INSIST(chase_dsrdataset != NULL);
 			INSIST(chase_sigdsrdataset != NULL);
 			result = sigchase_verify_ds(&chase_current_name,
 						    chase_keyrdataset,
-						    chase_dsrdataset,
-						    mctx);
+						    chase_dsrdataset);
 		}
 
 		if (result != ISC_R_SUCCESS) {
@@ -5383,8 +5523,8 @@
 			result = child_of_zone(&chase_name, &chase_current_name,
 					       &tmp_name);
 			if (dns_name_dynamic(&chase_authority_name))
-				free_name(&chase_authority_name, mctx);
-			dup_name(&tmp_name, &chase_authority_name, mctx);
+				free_name(&chase_authority_name);
+			dup_name(&tmp_name, &chase_authority_name);
 			printf(";; and we try to continue chain of trust"
 			       " validation of the zone: ");
 			dns_name_print(&chase_authority_name, stdout);
@@ -5429,7 +5569,7 @@
 			return;
 		INSIST(chase_dsrdataset != NULL);
 		printf("\n;; DSset:\n");
-		print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
+		print_rdataset(&chase_authority_name , chase_dsrdataset);
 
 		result = advanced_rrsearch(&chase_sigdsrdataset,
 					   &chase_authority_name,
@@ -5442,14 +5582,13 @@
 			goto cleanandgo;
 		}
 		printf("\n;; RRSIGset of DSset\n");
-		print_rdataset(&chase_authority_name,
-			       chase_sigdsrdataset, mctx);
+		print_rdataset(&chase_authority_name, chase_sigdsrdataset);
 		INSIST(chase_sigdsrdataset != NULL);
 
 		result = sigchase_verify_sig(&chase_authority_name,
 					     chase_dsrdataset,
 					     chase_keyrdataset,
-					     chase_sigdsrdataset, mctx);
+					     chase_sigdsrdataset);
 		if (result != ISC_R_SUCCESS) {
 			printf("\n;; Impossible to verify the DSset:"
 			       " FAILED\n\n");
@@ -5465,8 +5604,8 @@
 		have_delegation_ns = ISC_FALSE;
 		delegation_follow = ISC_TRUE;
 		error_message = NULL;
-		dup_name(&chase_authority_name, &chase_current_name, mctx);
-		free_name(&chase_authority_name, mctx);
+		dup_name(&chase_authority_name, &chase_current_name);
+		free_name(&chase_authority_name);
 		return;
 	}
 
@@ -5491,14 +5630,14 @@
 		}
 		ret = sigchase_verify_sig(&rdata_name, rdataset,
 					  chase_keyrdataset,
-					  sigrdataset, mctx);
+					  sigrdataset);
 		if (ret != ISC_R_SUCCESS) {
-			free_name(&rdata_name, mctx);
+			free_name(&rdata_name);
 			printf("\n;; Impossible to verify the NSEC RR to prove"
 			       " the non-existence : FAILED\n\n");
 			goto cleanandgo;
 		}
-		free_name(&rdata_name, mctx);
+		free_name(&rdata_name);
 		if (result != ISC_R_SUCCESS) {
 			printf("\n;; Impossible to verify the non-existence:"
 			       " FAILED\n\n");
@@ -5513,9 +5652,9 @@
  cleanandgo:
 	printf(";; cleanandgo \n");
 	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
+		free_name(&chase_current_name);
 	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
+		free_name(&chase_authority_name);
 	clean_trustedkey();
 	return;
 
@@ -5531,22 +5670,22 @@
 	}
 	result = sigchase_verify_sig(&chase_name, chase_rdataset,
 				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
+				     chase_sigrdataset);
 	if (result != ISC_R_SUCCESS) {
 		printf("\n;; Impossible to verify the RRset : FAILED\n\n");
 		/*
 		  printf("RRset:\n");
-		  print_rdataset(&chase_name , chase_rdataset, mctx);
+		  print_rdataset(&chase_name , chase_rdataset);
 		  printf("DNSKEYset:\n");
-		  print_rdataset(&chase_name , chase_keyrdataset, mctx);
+		  print_rdataset(&chase_name , chase_keyrdataset);
 		  printf("RRSIG of RRset:\n");
-		  print_rdataset(&chase_name , chase_sigrdataset, mctx);
+		  print_rdataset(&chase_name , chase_sigrdataset);
 		  printf("\n");
 		*/
 		goto cleanandgo;
 	} else {
 		printf("\n;; The Answer:\n");
-		print_rdataset(&chase_name , chase_rdataset, mctx);
+		print_rdataset(&chase_name , chase_rdataset);
 
 		printf("\n;; FINISH : we have validate the DNSSEC chain"
 		       " of trust: SUCCESS\n\n");
@@ -5587,9 +5726,9 @@
 			printf("\n;; No Answers: Validation FAILED\n\n");
 			return (ISC_R_NOTFOUND);
 		}
-		dup_name(name, &chase_name, mctx);
+		dup_name(name, &chase_name);
 		printf(";; RRset to chase:\n");
-		print_rdataset(&chase_name, chase_rdataset, mctx);
+		print_rdataset(&chase_name, chase_rdataset);
 	}
 	INSIST(chase_rdataset != NULL);
 
@@ -5603,14 +5742,14 @@
 			printf("\n;; RRSIG is missing for continue validation:"
 			       " FAILED\n\n");
 			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
+				free_name(&chase_name);
 			return (ISC_R_NOTFOUND);
 		}
 		if (result == ISC_R_NOTFOUND) {
 			return (ISC_R_NOTFOUND);
 		}
 		printf("\n;; RRSIG of the RRset to chase:\n");
-		print_rdataset(&chase_name, chase_sigrdataset, mctx);
+		print_rdataset(&chase_name, chase_sigrdataset);
 	}
 	INSIST(chase_sigrdataset != NULL);
 
@@ -5621,7 +5760,7 @@
 	dns_rdataset_current(chase_sigrdataset, &sigrdata);
 	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 	check_result(result, "sigrdata tostruct siginfo");
-	dup_name(&siginfo.signer, &chase_signame, mctx);
+	dup_name(&siginfo.signer, &chase_signame);
 	dns_rdata_freestruct(&siginfo);
 	dns_rdata_reset(&sigrdata);
 
@@ -5635,17 +5774,17 @@
 		if (result == ISC_R_FAILURE) {
 			printf("\n;; DNSKEY is missing to continue validation:"
 			       " FAILED\n\n");
-			free_name(&chase_signame, mctx);
+			free_name(&chase_signame);
 			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
+				free_name(&chase_name);
 			return (ISC_R_NOTFOUND);
 		}
 		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
+			free_name(&chase_signame);
 			return (ISC_R_NOTFOUND);
 		}
 		printf("\n;; DNSKEYset that signs the RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_keyrdataset, mctx);
+		print_rdataset(&chase_signame, chase_keyrdataset);
 	}
 	INSIST(chase_keyrdataset != NULL);
 
@@ -5658,18 +5797,18 @@
 		if (result == ISC_R_FAILURE) {
 			printf("\n;; RRSIG for DNSKEY is missing  to continue"
 			       " validation : FAILED\n\n");
-			free_name(&chase_signame, mctx);
+			free_name(&chase_signame);
 			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
+				free_name(&chase_name);
 			return (ISC_R_NOTFOUND);
 		}
 		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
+			free_name(&chase_signame);
 			return (ISC_R_NOTFOUND);
 		}
 		printf("\n;; RRSIG of the DNSKEYset that signs the "
 		       "RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
+		print_rdataset(&chase_signame, chase_sigkeyrdataset);
 	}
 	INSIST(chase_sigkeyrdataset != NULL);
 
@@ -5684,12 +5823,12 @@
 			printf("\n");
 		}
 		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
+			free_name(&chase_signame);
 			return (ISC_R_NOTFOUND);
 		}
 		if (chase_dsrdataset != NULL) {
 			printf("\n;; DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
+			print_rdataset(&chase_signame, chase_dsrdataset);
 		}
 	}
 
@@ -5712,8 +5851,7 @@
 			chase_dsrdataset = NULL;
 		} else {
 			printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_sigdsrdataset,
-				       mctx);
+			print_rdataset(&chase_signame, chase_sigdsrdataset);
 		}
 	}
 	return (1);
@@ -5728,7 +5866,7 @@
 	int ret;
 
 	if (tk_list.nb_tk == 0) {
-		result = get_trusted_key(mctx);
+		result = get_trusted_key();
 		if (result != ISC_R_SUCCESS) {
 			printf("No trusted keys present\n");
 			return;
@@ -5755,7 +5893,7 @@
 		result = prove_nx(msg, &query_name, current_lookup->rdclass,
 				  current_lookup->rdtype, &rdata_name,
 				  &rdataset, &sigrdataset);
-		free_name(&query_name, mctx);
+		free_name(&query_name);
 		if (rdataset == NULL || sigrdataset == NULL ||
 		    dns_name_countlabels(&rdata_name) == 0) {
 			printf("\n;; Impossible to verify the Non-existence,"
@@ -5774,8 +5912,8 @@
 		printf(";; An NSEC prove the non-existence of a answers,"
 		       " Now we want validate this NSEC\n");
 
-		dup_name(&rdata_name, &chase_name, mctx);
-		free_name(&rdata_name, mctx);
+		dup_name(&rdata_name, &chase_name);
+		free_name(&rdata_name);
 		chase_rdataset =  rdataset;
 		chase_sigrdataset = sigrdataset;
 		chase_keyrdataset = NULL;
@@ -5796,10 +5934,10 @@
 
 	result = sigchase_verify_sig(&chase_name, chase_rdataset,
 				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
+				     chase_sigrdataset);
 	if (result != ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
+		free_name(&chase_name);
+		free_name(&chase_signame);
 		printf(";; No DNSKEY is valid to check the RRSIG"
 		       " of the RRset: FAILED\n");
 		clean_trustedkey();
@@ -5808,10 +5946,10 @@
 	printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
 
 	result = contains_trusted_key(&chase_signame, chase_keyrdataset,
-				      chase_sigkeyrdataset, mctx);
+				      chase_sigkeyrdataset);
 	if (result ==  ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
+		free_name(&chase_name);
+		free_name(&chase_signame);
 		printf("\n;; Ok this DNSKEY is a Trusted Key,"
 		       " DNSSEC validation is ok: SUCCESS\n\n");
 		clean_trustedkey();
@@ -5821,8 +5959,8 @@
 	printf(";; Now, we are going to validate this DNSKEY by the DS\n");
 
 	if (chase_dsrdataset == NULL) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
+		free_name(&chase_name);
+		free_name(&chase_signame);
 		printf(";; the DNSKEY isn't trusted-key and there isn't"
 		       " DS to validate the DNSKEY: FAILED\n");
 		clean_trustedkey();
@@ -5830,10 +5968,10 @@
 	}
 
 	result =  sigchase_verify_ds(&chase_signame, chase_keyrdataset,
-				     chase_dsrdataset, mctx);
+				     chase_dsrdataset);
 	if (result !=  ISC_R_SUCCESS) {
-		free_name(&chase_signame, mctx);
-		free_name(&chase_name, mctx);
+		free_name(&chase_signame);
+		free_name(&chase_name);
 		printf(";; ERROR no DS validates a DNSKEY in the"
 		       " DNSKEY RRset: FAILED\n");
 		clean_trustedkey();
@@ -5844,8 +5982,8 @@
 		       " the RRset\n");
 	INSIST(chase_sigdsrdataset != NULL);
 
-	dup_name(&chase_signame, &chase_name, mctx);
-	free_name(&chase_signame, mctx);
+	dup_name(&chase_signame, &chase_name);
+	free_name(&chase_signame);
 	chase_rdataset = chase_dsrdataset;
 	chase_sigrdataset = chase_sigdsrdataset;
 	chase_keyrdataset = NULL;
@@ -5958,7 +6096,7 @@
 
 		printf("There is a NSEC for this zone in the"
 		       " AUTHORITY section:\n");
-		print_rdataset(nsecname, nsecset, mctx);
+		print_rdataset(nsecname, nsecset);
 
 		for (result = dns_rdataset_first(nsecset);
 		     result == ISC_R_SUCCESS;
@@ -5987,7 +6125,7 @@
 				dns_rdata_freestruct(&nsecstruct);
 				*rdataset = nsecset;
 				*sigrdataset = signsecset;
-				dup_name(nsecname, rdata_name, mctx);
+				dup_name(nsecname, rdata_name);
 
 				return (ISC_R_SUCCESS);
 			}
@@ -6040,7 +6178,7 @@
 		printf("There isn't RRSIG NSEC for the zone \n");
 		return (ISC_R_FAILURE);
 	}
-	dup_name(name, rdata_name, mctx);
+	dup_name(name, rdata_name);
 	*rdataset = nsecset;
 	*sigrdataset = signsecset;
 
--- a/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dig.h,v 1.11 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: dig.h,v 1.12 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -135,7 +135,8 @@
 #ifdef ISC_PLATFORM_USESIT
 		sit,
 #endif
-		nsid;   /*% Name Server ID (RFC 5001) */
+		nsid,   /*% Name Server ID (RFC 5001) */
+		ednsneg;
 #ifdef DIG_SIGCHASE
 isc_boolean_t	sigchase;
 #if DIG_SIGCHASE_TD
@@ -193,6 +194,10 @@
 #ifdef ISC_PLATFORM_USESIT
 	char *sitvalue;
 #endif
+	dns_ednsopt_t *ednsopts;
+	unsigned int ednsoptscnt;
+	unsigned int ednsflags;
+	dns_opcode_t opcode;
 };
 
 /*% The dig_query structure */
@@ -347,6 +352,10 @@
 	   const char *desc);
 
 isc_result_t
+parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc);
+
+isc_result_t
 parse_netprefix(isc_sockaddr_t **sap, const char *value);
 
 void
@@ -428,6 +437,8 @@
 chase_sig(dns_message_t *msg);
 #endif
 
+void save_opt(dig_lookup_t *lookup, char *code, char *value);
+
 ISC_LANG_ENDDECLS
 
 #endif
--- a/external/bsd/bind/dist/bin/dig/nslookup.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nslookup.c,v 1.11 2015/07/08 17:28:54 christos Exp $	*/
+/*	$NetBSD: nslookup.c,v 1.12 2015/12/17 04:00:40 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -587,7 +587,7 @@
 
 static void
 setoption(char *opt) {
-	if (strncasecmp(opt, "all", 4) == 0) {
+	if (strncasecmp(opt, "all", 3) == 0) {
 		show_settings(ISC_TRUE, ISC_FALSE);
 	} else if (strncasecmp(opt, "class=", 6) == 0) {
 		if (testclass(&opt[6]))
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8	Thu Dec 17 04:00:21 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-dsfromkey.8,v 1.7 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: dnssec-dsfromkey.8,v 1.8 2015/12/17 04:00:41 christos Exp $
 .\"
-.\" Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -34,7 +34,7 @@
 dnssec\-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
 .HP 17
 \fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .HP 17
@@ -62,6 +62,11 @@
 must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
 .RE
 .PP
+\-C
+.RS 4
+Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records.
+.RE
+.PP
 \-T \fITTL\fR
 .RS 4
 Specifies the TTL of the DS records.
@@ -100,7 +105,7 @@
 .RS 4
 Generate a DLV set instead of a DS set. The specified
 \fBdomain\fR
-is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
+is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. This is mutually exclusive with generating CDS records.
 .RE
 .PP
 \-s
@@ -167,5 +172,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.11 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.12 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
@@ -244,7 +244,7 @@
 
 static void
 emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
-     dns_rdata_t *rdata)
+     isc_boolean_t cds, dns_rdata_t *rdata)
 {
 	isc_result_t result;
 	unsigned char buf[DNS_DS_BUFFERSIZE];
@@ -308,9 +308,12 @@
 	isc_buffer_usedregion(&classb, &r);
 	printf("%.*s", (int)r.length, r.base);
 
-	if (lookaside == NULL)
-		printf(" DS ");
-	else
+	if (lookaside == NULL) {
+		if (cds)
+			printf(" CDS ");
+		else
+			printf(" DS ");
+	} else
 		printf(" DLV ");
 
 	isc_buffer_usedregion(&textb, &r);
@@ -338,6 +341,7 @@
 			"(SHA-1, SHA-256, GOST or SHA-384)\n");
 	fprintf(stderr, "    -1: use SHA-1\n");
 	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -C: print CDS record\n");
 	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
 	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
 	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
@@ -358,6 +362,7 @@
 	char		*endp;
 	int		ch;
 	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	isc_boolean_t	cds = ISC_FALSE;
 	isc_boolean_t	both = ISC_TRUE;
 	isc_boolean_t	usekeyset = ISC_FALSE;
 	isc_boolean_t	showall = ISC_FALSE;
@@ -383,8 +388,8 @@
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "12Aa:c:d:Ff:K:l:sT:v:hV")) != -1) {
+#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
+	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
 			dtype = DNS_DSDIGEST_SHA1;
@@ -401,6 +406,12 @@
 			algname = isc_commandline_argument;
 			both = ISC_FALSE;
 			break;
+		case 'C':
+			if (lookaside != NULL)
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
+			cds = ISC_TRUE;
+			break;
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
@@ -417,6 +428,9 @@
 			filename = isc_commandline_argument;
 			break;
 		case 'l':
+			if (cds)
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
 			lookaside = isc_commandline_argument;
 			if (strlen(lookaside) == 0U)
 				fatal("lookaside must be a non-empty string");
@@ -535,11 +549,11 @@
 
 			if (both) {
 				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
-				     &rdata);
+				     cds, &rdata);
 				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
-				     &rdata);
+				     cds, &rdata);
 			} else
-				emit(dtype, showall, lookaside, &rdata);
+				emit(dtype, showall, lookaside, cds, &rdata);
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -548,10 +562,12 @@
 			DST_KEY_MAXSIZE, &rdata);
 
 		if (both) {
-			emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
-			emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
+			emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
+			     &rdata);
+			emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
+			     &rdata);
 		} else
-			emit(dtype, showall, lookaside, &rdata);
+			emit(dtype, showall, lookaside, cds, &rdata);
 	}
 
 	if (dns_rdataset_isassociated(&rdataset))
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.16 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.17 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -43,6 +43,7 @@
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/region.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -241,7 +242,7 @@
 	int		dbits = 0;
 	dns_ttl_t	ttl = 0;
 	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
-	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
+	isc_stdtime_t	publish = 0, activate = 0, revokekey = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	int		prepub = -1;
@@ -429,7 +430,7 @@
 			if (setrev || unsetrev)
 				fatal("-R specified more than once");
 
-			revoke = strtotime(isc_commandline_argument,
+			revokekey = strtotime(isc_commandline_argument,
 					   now, now, &setrev);
 			unsetrev = !setrev;
 			break;
@@ -958,7 +959,7 @@
 						"was used. Revoking a ZSK is "
 						"legal, but undefined.\n",
 						program);
-				dst_key_settime(key, DST_TIME_REVOKE, revoke);
+				dst_key_settime(key, DST_TIME_REVOKE, revokekey);
 			}
 
 			if (setinact)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-revoke.c,v 1.8 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: dnssec-revoke.c,v 1.9 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2009-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -98,7 +98,7 @@
 	isc_uint32_t flags;
 	isc_buffer_t buf;
 	isc_boolean_t force = ISC_FALSE;
-	isc_boolean_t remove = ISC_FALSE;
+	isc_boolean_t removefile = ISC_FALSE;
 	isc_boolean_t id = ISC_FALSE;
 
 	if (argc == 1)
@@ -135,7 +135,7 @@
 			}
 			break;
 		    case 'r':
-			remove = ISC_TRUE;
+			removefile = ISC_TRUE;
 			break;
 		    case 'R':
 			id = ISC_TRUE;
@@ -259,7 +259,7 @@
 		 * Remove old key file, if told to (and if
 		 * it isn't the same as the new file)
 		 */
-		if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
+		if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
 			isc_buffer_init(&buf, oldname, sizeof(oldname));
 			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
 			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-settime.c,v 1.12 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.13 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2009-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -117,8 +117,8 @@
 	} else if (epoch) {
 		fprintf(stream, "%d\n", (int) when);
 	} else {
-		time_t time = when;
-		output = ctime(&time);
+		time_t timet = when;
+		output = ctime(&timet);
 		fprintf(stream, "%s", output);
 	}
 }
@@ -411,7 +411,6 @@
 					"inactive.\n", program);
 
 		changed = setpub = setact = ISC_TRUE;
-		dst_key_free(&prevkey);
 	} else {
 		if (prepub < 0)
 			prepub = 0;
@@ -602,6 +601,8 @@
 		printf("%s\n", newname);
 	}
 
+	if (prevkey != NULL)
+		dst_key_free(&prevkey);
 	dst_key_free(&key);
 	dst_lib_destroy();
 	isc_hash_destroy();
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.15 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.16 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -54,6 +54,7 @@
 #include <isc/random.h>
 #include <isc/rwlock.h>
 #include <isc/serial.h>
+#include <isc/safe.h>
 #include <isc/stdio.h>
 #include <isc/stdlib.h>
 #include <isc/string.h>
@@ -688,7 +689,9 @@
 			    (iszsk(key) && !keyset_kskonly))
 				signwithkey(name, set, key->key, ttl, add,
 					    "signing with dnskey");
-		} else if (iszsk(key)) {
+		} else if (set->type == dns_rdatatype_cds ||
+			   set->type == dns_rdatatype_cdnskey ||
+			   iszsk(key)) {
 			signwithkey(name, set, key->key, ttl, add,
 				    "signing with dnskey");
 		}
@@ -765,7 +768,7 @@
 
 static int
 hashlist_comp(const void *a, const void *b) {
-	return (memcmp(a, b, hash_length + 1));
+	return (isc_safe_memcompare(a, b, hash_length + 1));
 }
 
 static void
@@ -792,7 +795,7 @@
 		next += l->length;
 		if (next[l->length-1] != 0)
 			continue;
-		if (memcmp(current, next, l->length - 1) == 0)
+		if (isc_safe_memequal(current, next, l->length - 1))
 			return (ISC_TRUE);
 		current = next;
 	}
@@ -1324,7 +1327,7 @@
  * Delete any RRSIG records at a node.
  */
 static void
-cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
+cleannode(dns_db_t *db, dns_dbversion_t *dbversion, dns_dbnode_t *node) {
 	dns_rdatasetiter_t *rdsiter = NULL;
 	dns_rdataset_t set;
 	isc_result_t result, dresult;
@@ -1333,7 +1336,7 @@
 		return;
 
 	dns_rdataset_init(&set);
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	result = dns_db_allrdatasets(db, node, dbversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets");
 	result = dns_rdatasetiter_first(rdsiter);
 	while (result == ISC_R_SUCCESS) {
@@ -1347,7 +1350,7 @@
 		dns_rdataset_disassociate(&set);
 		result = dns_rdatasetiter_next(rdsiter);
 		if (destroy) {
-			dresult = dns_db_deleterdataset(db, node, version,
+			dresult = dns_db_deleterdataset(db, node, dbversion,
 							dns_rdatatype_rrsig,
 							covers);
 			check_result(dresult, "dns_db_deleterdataset");
@@ -1864,11 +1867,9 @@
 				      dns_rdatatype_nsec3param,
 				      &nsec3param, &b);
 	check_result(result, "dns_rdata_fromstruct()");
+	dns_rdatalist_init(&rdatalist);
 	rdatalist.rdclass = rdata.rdclass;
 	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
-	rdatalist.ttl = 0;
-	ISC_LIST_INIT(rdatalist.rdata);
 	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
 	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
 	check_result(result, "dns_rdatalist_tordataset()");
@@ -1930,11 +1931,10 @@
 				      nexthash, ISC_SHA1_DIGESTLENGTH,
 				      nsec3buffer, &rdata);
 	check_result(result, "addnsec3: dns_nsec3_buildrdata()");
+	dns_rdatalist_init(&rdatalist);
 	rdatalist.rdclass = rdata.rdclass;
 	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
 	rdatalist.ttl = ttl;
-	ISC_LIST_INIT(rdatalist.rdata);
 	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
 	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
 	check_result(result, "dns_rdatalist_tordataset()");
@@ -2023,14 +2023,13 @@
 		if (exists && nsec3.hash == hashalg &&
 		    nsec3.iterations == iterations &&
 		    nsec3.salt_length == salt_len &&
-		    !memcmp(nsec3.salt, salt, salt_len))
+		    isc_safe_memequal(nsec3.salt, salt, salt_len))
 			continue;
+		dns_rdatalist_init(&rdatalist);
 		rdatalist.rdclass = rdata.rdclass;
 		rdatalist.type = rdata.type;
-		rdatalist.covers = 0;
 		if (set_maxttl)
 			rdatalist.ttl = ISC_MIN(rdataset.ttl, maxttl);
-		ISC_LIST_INIT(rdatalist.rdata);
 		dns_rdata_init(&delrdata);
 		dns_rdata_clone(&rdata, &delrdata);
 		ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link);
@@ -2712,7 +2711,7 @@
 
 	if (!update && set_salt) {
 		if (salt_length != orig_saltlen ||
-		    memcmp(saltbuf, orig_salt, salt_length) != 0)
+		    !isc_safe_memequal(saltbuf, orig_salt, salt_length))
 			fatal("An NSEC3 chain exists with a different salt. "
 			      "Use -u to update it.");
 	} else if (!set_salt) {
@@ -2780,7 +2779,7 @@
 	char *filename;
 	char namestr[DNS_NAME_FORMATSIZE];
 	dns_db_t *db = NULL;
-	dns_dbversion_t *version = NULL;
+	dns_dbversion_t *dbversion = NULL;
 	dns_diff_t diff;
 	dns_difftuple_t *tuple = NULL;
 	dns_fixedname_t fixed;
@@ -2903,19 +2902,19 @@
 			       gclass, 0, NULL, &db);
 	check_result(result, "dns_db_create");
 
-	result = dns_db_newversion(db, &version);
+	result = dns_db_newversion(db, &dbversion);
 	check_result(result, "dns_db_newversion");
 
-	result = dns_diff_apply(&diff, db, version);
+	result = dns_diff_apply(&diff, db, dbversion);
 	check_result(result, "dns_diff_apply");
 	dns_diff_clear(&diff);
 
-	result = dns_master_dump(mctx, db, version, style, filename);
+	result = dns_master_dump(mctx, db, dbversion, style, filename);
 	check_result(result, "dns_master_dump");
 
 	isc_mem_put(mctx, filename, filenamelen + 1);
 
-	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_closeversion(db, &dbversion, ISC_FALSE);
 	dns_db_detach(&db);
 }
 
@@ -3589,7 +3588,10 @@
 	 * of keys rather early.
 	 */
 	ISC_LIST_INIT(keylist);
-	isc_rwlock_init(&keylist_lock, 0, 0);
+	result = isc_rwlock_init(&keylist_lock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize keylist_lock: %s",
+		      isc_result_totext(result));
 
 	/*
 	 * Fill keylist with:
--- a/external/bsd/bind/dist/bin/named/client.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.13 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: client.c,v 1.14 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: client.c,v 1.286 2012/01/31 23:47:30 tbox Exp  */
-
 #include <config.h>
 
 #include <isc/formatcheck.h>
@@ -28,6 +26,7 @@
 #include <isc/print.h>
 #include <isc/queue.h>
 #include <isc/random.h>
+#include <isc/safe.h>
 #include <isc/serial.h>
 #include <isc/stats.h>
 #include <isc/stdio.h>
@@ -346,12 +345,12 @@
 		 * We are trying to abort request processing.
 		 */
 		if (client->nsends > 0) {
-			isc_socket_t *socket;
+			isc_socket_t *sock;
 			if (TCP_CLIENT(client))
-				socket = client->tcpsocket;
+				sock = client->tcpsocket;
 			else
-				socket = client->udpsocket;
-			isc_socket_cancel(socket, client->task,
+				sock = client->udpsocket;
+			isc_socket_cancel(sock, client->task,
 					  ISC_SOCKCANCEL_SEND);
 		}
 
@@ -865,17 +864,17 @@
 	isc_result_t result;
 	isc_region_t r;
 	isc_sockaddr_t *address;
-	isc_socket_t *socket;
+	isc_socket_t *sock;
 	isc_netaddr_t netaddr;
 	int match;
 	unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE;
 	isc_dscp_t dispdscp = -1;
 
 	if (TCP_CLIENT(client)) {
-		socket = client->tcpsocket;
+		sock = client->tcpsocket;
 		address = NULL;
 	} else {
-		socket = client->udpsocket;
+		sock = client->udpsocket;
 		address = &client->peeraddr;
 
 		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
@@ -913,7 +912,7 @@
 
 	CTRACE("sendto");
 
-	result = isc_socket_sendto2(socket, &r, client->task,
+	result = isc_socket_sendto2(sock, &r, client->task,
 				    address, pktinfo,
 				    client->sendevent, sockflags);
 	if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) {
@@ -1297,10 +1296,15 @@
 		isc_boolean_t wouldlog;
 		char log_buf[DNS_RRL_LOG_BUF_LEN];
 		dns_rrl_result_t rrl_result;
+		int loglevel;
 
 		INSIST(rcode != dns_rcode_noerror &&
 		       rcode != dns_rcode_nxdomain);
-		wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);
+		if (ns_g_server->log_queries)
+			loglevel = DNS_RRL_LOG_DROP;
+		else
+			loglevel = ISC_LOG_DEBUG(1);
+		wouldlog = isc_log_wouldlog(ns_g_lctx, loglevel);
 		rrl_result = dns_rrl(client->view, &client->peeraddr,
 				     TCP_CLIENT(client),
 				     dns_rdataclass_in, dns_rdatatype_none,
@@ -1317,7 +1321,7 @@
 				ns_client_log(client,
 					      NS_LOGCATEGORY_QUERY_EERRORS,
 					      NS_LOGMODULE_CLIENT,
-					      DNS_RRL_LOG_DROP,
+					      loglevel,
 					      "%s", log_buf);
 			}
 			/*
@@ -1452,7 +1456,7 @@
 		compute_sit(client, now, nonce, &buf);
 
 		INSIST(count < DNS_EDNSOPTIONS);
-		ednsopts[count].code = DNS_OPT_SIT;
+		ednsopts[count].code = DNS_OPT_COOKIE;
 		ednsopts[count].length = SIT_SIZE;
 		ednsopts[count].value = sit;
 		count++;
@@ -1717,7 +1721,7 @@
 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
 	compute_sit(client, when, nonce, &db);
 
-	if (memcmp(old, dbuf, SIT_SIZE) != 0) {
+	if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
 		isc_stats_increment(ns_g_server->nsstats,
 				    dns_nsstatscounter_sitnomatch);
 		return;
@@ -1789,7 +1793,7 @@
 				isc_buffer_forward(&optbuf, optlen);
 				break;
 #ifdef ISC_PLATFORM_USESIT
-			case DNS_OPT_SIT:
+			case DNS_OPT_COOKIE:
 				process_sit(client, &optbuf, optlen);
 				break;
 #endif
@@ -2013,6 +2017,14 @@
 		 * Parsing the request failed.  Send a response
 		 * (typically FORMERR or SERVFAIL).
 		 */
+		if (result == DNS_R_OPTERR)
+			(void)ns_client_addopt(client, client->message,
+					       &client->opt);
+
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+			      "message parsing failed: %s",
+			      isc_result_totext(result));
 		ns_client_error(client, result);
 		goto cleanup;
 	}
--- a/external/bsd/bind/dist/bin/named/config.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/config.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: config.c,v 1.11 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: config.c,v 1.12 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -168,7 +168,14 @@
 	dnssec-enable yes;\n\
 	dnssec-validation yes; \n\
 	dnssec-accept-expired no;\n\
-	clients-per-query 10;\n\
+"
+#ifdef ENABLE_FETCHLIMIT
+" 	fetches-per-server 0;\n\
+	fetches-per-zone 0;\n\
+	fetch-quota-params 100 0.1 0.3 0.7;\n\
+"
+#endif /* ENABLE_FETCHLIMIT */
+"	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
 	max-recursion-depth 7;\n\
 	max-recursion-queries 75;\n\
@@ -454,10 +461,6 @@
 	}
 
 	if (dscpsp != NULL) {
-		dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t));
-		if (dscps == NULL)
-			return (ISC_R_NOMEMORY);
-
 		dscpobj = cfg_tuple_get(list, "dscp");
 		if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) {
 			if (cfg_obj_asuint32(dscpobj) > 63) {
@@ -468,11 +471,18 @@
 			}
 			dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
 		}
+
+		dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t));
+		if (dscps == NULL)
+			return (ISC_R_NOMEMORY);
 	}
 
 	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
-	if (addrs == NULL)
+	if (addrs == NULL) {
+		if (dscps != NULL)
+			isc_mem_put(mctx, dscps, count * sizeof(isc_dscp_t));
 		return (ISC_R_NOMEMORY);
+	}
 
 	for (element = cfg_list_first(addrlist);
 	     element != NULL;
@@ -562,7 +572,7 @@
 	const cfg_obj_t *portobj;
 	const cfg_obj_t *dscpobj;
 	in_port_t port;
-	isc_dscp_t dscp;
+	isc_dscp_t dscp = -1;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	isc_dscp_t *dscps = NULL;
@@ -611,7 +621,8 @@
 			cfg_obj_log(dscpobj, ns_g_lctx, ISC_LOG_ERROR,
 				    "dscp value '%u' is out of range",
 				    cfg_obj_asuint32(dscpobj));
-			return (ISC_R_RANGE);
+			result = ISC_R_RANGE;
+			goto cleanup;
 		}
 		dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
 	}
--- a/external/bsd/bind/dist/bin/named/control.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/control.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: control.c,v 1.8 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: control.c,v 1.9 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -103,7 +103,7 @@
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
 		result = ns_server_reloadcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
-		result = ns_server_reconfigcommand(ns_g_server, command);
+		result = ns_server_reconfigcommand(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
 		result = ns_server_refreshcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
--- a/external/bsd/bind/dist/bin/named/include/named/lwdclient.h	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/lwdclient.h	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: lwdclient.h,v 1.4 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: lwdclient.h,v 1.5 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -188,6 +188,7 @@
 	lwres_context_t	       *lwctx;		/*%< lightweight proto context */
 	isc_task_t	       *task;		/*%< owning task */
 	unsigned int		flags;
+	isc_mutex_t		lock;
 	ISC_LINK(ns_lwdclientmgr_t)	link;
 	ISC_LIST(ns_lwdclient_t)	idle;		/*%< idle client slots */
 	ISC_LIST(ns_lwdclient_t)	running;	/*%< running clients */
--- a/external/bsd/bind/dist/bin/named/include/named/main.h	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/main.h	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: main.h,v 1.5 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: main.h,v 1.6 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp  */
-
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
 
@@ -28,6 +26,11 @@
 #define main(argc, argv) bindmain(argc, argv)
 #endif
 
+/*
+ * Commandline arguments for named; also referenced in win32/ntservice.c
+ */
+#define NS_MAIN_ARGS "46c:C:d:D:E:fFgi:lM:m:n:N:p:P:sS:t:T:U:u:vVx:"
+
 ISC_PLATFORM_NORETURN_PRE void
 ns_main_earlyfatal(const char *format, ...)
 ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
--- a/external/bsd/bind/dist/bin/named/include/named/server.h	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/server.h	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: server.h,v 1.9 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: server.h,v 1.10 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -53,6 +53,7 @@
 	isc_quota_t		xfroutquota;
 	isc_quota_t		tcpquota;
 	isc_quota_t		recursionquota;
+
 	dns_acl_t		*blackholeacl;
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
@@ -185,7 +186,6 @@
 	dns_nsstatscounter_expireopt = 44,
 	dns_nsstatscounter_otheropt = 45,
 
-#ifdef ISC_PLATFORM_USESIT
 	dns_nsstatscounter_sitopt = 46,
 	dns_nsstatscounter_sitbadsize = 47,
 	dns_nsstatscounter_sitbadtime = 48,
@@ -194,9 +194,6 @@
 	dns_nsstatscounter_sitnew = 51,
 
 	dns_nsstatscounter_max = 52
-#else
-	dns_nsstatscounter_max = 46
-#endif
 };
 
 void
@@ -242,7 +239,7 @@
  */
 
 isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args);
+ns_server_reconfigcommand(ns_server_t *server);
 /*%<
  * Act on a "reconfig" command from the command channel.
  */
--- a/external/bsd/bind/dist/bin/named/interfacemgr.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/interfacemgr.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: interfacemgr.c,v 1.10 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: interfacemgr.c,v 1.11 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -473,7 +473,7 @@
 	return (ISC_R_SUCCESS);
 
  addtodispatch_failure:
-	for (i = disp - 1; i <= 0; i--) {
+	for (i = disp - 1; i >= 0; i--) {
 		dns_dispatch_changeattributes(ifp->udpdispatch[i], 0,
 					      DNS_DISPATCHATTR_NOLISTEN);
 		dns_dispatch_detach(&(ifp->udpdispatch[i]));
--- a/external/bsd/bind/dist/bin/named/logconf.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/logconf.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: logconf.c,v 1.7 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: logconf.c,v 1.8 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -25,6 +25,7 @@
 
 #include <isc/file.h>
 #include <isc/offset.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
--- a/external/bsd/bind/dist/bin/named/lwdclient.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/lwdclient.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: lwdclient.c,v 1.4 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: lwdclient.c,v 1.5 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -61,12 +61,16 @@
 	ns_lwdclientmgr_t *cm;
 	ns_lwdclient_t *client;
 	unsigned int i;
-	isc_result_t result = ISC_R_FAILURE;
+	isc_result_t result;
 
 	cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t));
 	if (cm == NULL)
 		return (ISC_R_NOMEMORY);
 
+	result = isc_mutex_init(&cm->lock);
+	if (result != ISC_R_SUCCESS)
+		goto freecm;
+
 	cm->listener = NULL;
 	ns_lwreslistener_attach(listener, &cm->listener);
 	cm->mctx = lwresd->mctx;
@@ -80,10 +84,10 @@
 	ISC_LIST_INIT(cm->idle);
 	ISC_LIST_INIT(cm->running);
 
-	if (lwres_context_create(&cm->lwctx, cm->mctx,
-				 ns__lwresd_memalloc, ns__lwresd_memfree,
-				 LWRES_CONTEXT_SERVERMODE)
-	    != ISC_R_SUCCESS)
+	result = lwres_context_create(&cm->lwctx, cm->mctx,
+				      ns__lwresd_memalloc, ns__lwresd_memfree,
+				      LWRES_CONTEXT_SERVERMODE);
+	 if (result != ISC_R_SUCCESS)
 		goto errout;
 
 	for (i = 0; i < nclients; i++) {
@@ -98,8 +102,10 @@
 	/*
 	 * If we could create no clients, clean up and return.
 	 */
-	if (ISC_LIST_EMPTY(cm->idle))
+	if (ISC_LIST_EMPTY(cm->idle)) {
+		result = ISC_R_NOMEMORY;
 		goto errout;
+	}
 
 	result = isc_task_create(taskmgr, 0, &cm->task);
 	if (result != ISC_R_SUCCESS)
@@ -132,6 +138,9 @@
 	if (cm->lwctx != NULL)
 		lwres_context_destroy(&cm->lwctx);
 
+	DESTROYLOCK(&cm->lock);
+
+ freecm:
 	isc_mem_put(lwresd->mctx, cm, sizeof(*cm));
 	return (result);
 }
@@ -141,11 +150,14 @@
 	ns_lwdclient_t *client;
 	ns_lwreslistener_t *listener;
 
-	if (!SHUTTINGDOWN(cm))
+	LOCK(&cm->lock);
+	if (!SHUTTINGDOWN(cm)) {
+		UNLOCK(&cm->lock);
 		return;
+	}
 
 	/*
-	 * run through the idle list and free the clients there.  Idle
+	 * Run through the idle list and free the clients there.  Idle
 	 * clients do not have a recv running nor do they have any finds
 	 * or similar running.
 	 */
@@ -158,14 +170,20 @@
 		client = ISC_LIST_HEAD(cm->idle);
 	}
 
-	if (!ISC_LIST_EMPTY(cm->running))
+	if (!ISC_LIST_EMPTY(cm->running)) {
+		UNLOCK(&cm->lock);
 		return;
+	}
+
+	UNLOCK(&cm->lock);
 
 	lwres_context_destroy(&cm->lwctx);
 	cm->view = NULL;
 	isc_socket_detach(&cm->sock);
 	isc_task_detach(&cm->task);
 
+	DESTROYLOCK(&cm->lock);
+
 	listener = cm->listener;
 	ns_lwreslistener_unlinkcm(listener, cm);
 	ns_lwdclient_log(50, "destroying manager %p", cm);
@@ -227,8 +245,10 @@
 
 	NS_LWDCLIENT_SETRECVDONE(client);
 
+	LOCK(&cm->lock);
 	INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0);
 	cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING;
+	UNLOCK(&cm->lock);
 
 	ns_lwdclient_log(50,
 			 "event received: task %p, length %u, result %u (%s)",
@@ -276,40 +296,53 @@
 	ns_lwdclient_t *client;
 	isc_result_t result;
 	isc_region_t r;
+	isc_boolean_t destroy = ISC_FALSE;
 
+
+	LOCK(&cm->lock);
 	if (SHUTTINGDOWN(cm)) {
-		lwdclientmgr_destroy(cm);
-		return (ISC_R_SUCCESS);
+		destroy = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+		goto unlock;
 	}
 
 	/*
 	 * If a recv is already running, don't bother.
 	 */
-	if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0)
-		return (ISC_R_SUCCESS);
+	if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0) {
+		result = ISC_R_SUCCESS;
+		goto unlock;
+	}
 
 	/*
 	 * If we have no idle slots, just return success.
 	 */
 	client = ISC_LIST_HEAD(cm->idle);
-	if (client == NULL)
-		return (ISC_R_SUCCESS);
+	if (client == NULL) {
+		result = ISC_R_SUCCESS;
+		goto unlock;
+	}
+
 	INSIST(NS_LWDCLIENT_ISIDLE(client));
 
 	/*
+	 * Set the flag to say there is a recv pending.  If isc_socket_recv
+	 * fails we will clear the flag otherwise it will be cleared by
+	 * ns_lwdclient_recv.
+	 */
+	cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING;
+
+	/*
 	 * Issue the recv.  If it fails, return that it did.
 	 */
 	r.base = client->buffer;
 	r.length = LWRES_RECVLENGTH;
 	result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv,
 				 client);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Set the flag to say we've issued a recv() call.
-	 */
-	cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING;
+	if (result != ISC_R_SUCCESS) {
+		cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING;
+		goto unlock;
+	}
 
 	/*
 	 * Remove the client from the idle list, and put it on the running
@@ -319,7 +352,13 @@
 	ISC_LIST_UNLINK(cm->idle, client, link);
 	ISC_LIST_APPEND(cm->running, client, link);
 
-	return (ISC_R_SUCCESS);
+ unlock:
+	UNLOCK(&cm->lock);
+
+	if (destroy)
+		lwdclientmgr_destroy(cm);
+
+	return (result);
 }
 
 static void
@@ -337,6 +376,7 @@
 	 * clients do not have a recv running nor do they have any finds
 	 * or similar running.
 	 */
+	LOCK(&cm->lock);
 	client = ISC_LIST_HEAD(cm->idle);
 	while (client != NULL) {
 		ns_lwdclient_log(50, "destroying client %p, manager %p",
@@ -345,6 +385,7 @@
 		isc_mem_put(cm->mctx, client, sizeof(*client));
 		client = ISC_LIST_HEAD(cm->idle);
 	}
+	UNLOCK(&cm->lock);
 
 	/*
 	 * Cancel any pending I/O.
@@ -355,6 +396,7 @@
 	 * Run through the running client list and kill off any finds
 	 * in progress.
 	 */
+	LOCK(&cm->lock);
 	client = ISC_LIST_HEAD(cm->running);
 	while (client != NULL) {
 		if (client->find != client->v4find
@@ -369,6 +411,8 @@
 
 	cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN;
 
+	UNLOCK(&cm->lock);
+
 	isc_event_free(&ev);
 }
 
@@ -389,8 +433,10 @@
 	INSIST(client->v4find == NULL);
 	INSIST(client->v6find == NULL);
 
+	LOCK(&cm->lock);
 	ISC_LIST_UNLINK(cm->running, client, link);
 	ISC_LIST_PREPEND(cm->idle, client, link);
+	UNLOCK(&cm->lock);
 
 	NS_LWDCLIENT_SETIDLE(client);
 
@@ -466,5 +512,7 @@
 
 	client->pktinfo_valid = ISC_FALSE;
 
+	LOCK(&cmgr->lock);
 	ISC_LIST_APPEND(cmgr->idle, client, link);
+	UNLOCK(&cmgr->lock);
 }
--- a/external/bsd/bind/dist/bin/named/lwresd.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/lwresd.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: lwresd.c,v 1.6 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: lwresd.c,v 1.7 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -604,7 +604,7 @@
 
 static isc_result_t
 listener_startclients(ns_lwreslistener_t *listener) {
-	ns_lwdclientmgr_t *cm;
+	ns_lwdclientmgr_t *cm, *next;
 	unsigned int i;
 	isc_result_t result;
 
@@ -628,6 +628,7 @@
 	LOCK(&listener->lock);
 	cm = ISC_LIST_HEAD(listener->cmgrs);
 	while (cm != NULL) {
+		next = ISC_LIST_NEXT(cm, link);
 		result = ns_lwdclient_startrecv(cm);
 		if (result != ISC_R_SUCCESS)
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -635,7 +636,7 @@
 				      "could not start lwres "
 				      "client handler: %s",
 				      isc_result_totext(result));
-		cm = ISC_LIST_NEXT(cm, link);
+		cm = next;
 	}
 	UNLOCK(&listener->lock);
 
--- a/external/bsd/bind/dist/bin/named/main.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.18 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.19 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -392,6 +392,7 @@
 	const char *name;
 	unsigned int value;
 } mem_debug_flags[] = {
+	{ "none", 0},
 	{ "trace",  ISC_MEM_DEBUGTRACE },
 	{ "record", ISC_MEM_DEBUGRECORD },
 	{ "usage", ISC_MEM_DEBUGUSAGE },
@@ -402,6 +403,8 @@
 
 static void
 set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
+	isc_boolean_t clear = ISC_FALSE;
+
 	for (;;) {
 		const struct flag_def *def;
 		const char *end = strchr(arg, ',');
@@ -412,16 +415,21 @@
 		for (def = defs; def->name != NULL; def++) {
 			if (arglen == (int)strlen(def->name) &&
 			    memcmp(arg, def->name, arglen) == 0) {
+				if (def->value == 0)
+					clear = ISC_TRUE;
 				*ret |= def->value;
 				goto found;
 			}
 		}
 		ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg);
 	 found:
-		if (*end == '\0')
+		if (clear || (*end == '\0'))
 			break;
 		arg = end + 1;
 	}
+
+	if (clear)
+		*ret = 0;
 }
 
 static void
@@ -432,10 +440,12 @@
 
 	save_command_line(argc, argv);
 
-	/* PLEASE keep options synchronized when main is hooked! */
-#define CMDLINE_FLAGS "46c:C:d:D:E:fFgi:lm:n:N:p:P:sS:t:T:U:u:vVx:"
+	/*
+	 * NS_MAIN_ARGS is defined in main.h, so that it can be used
+	 * both by named and by ntservice hooks.
+	 */
 	isc_commandline_errprint = ISC_FALSE;
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, NS_MAIN_ARGS)) != -1) {
 		switch (ch) {
 		case '4':
 			if (ns_g_disable4)
@@ -490,6 +500,10 @@
 		case 'l':
 			ns_g_lwresdonly = ISC_TRUE;
 			break;
+		case 'M':
+			if (strcmp(isc_commandline_argument, "external") == 0)
+				isc_mem_defaultflags = 0;
+			break;
 		case 'm':
 			set_flags(isc_commandline_argument, mem_debug_flags,
 				  &isc_mem_debugging);
@@ -613,16 +627,16 @@
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
-			printf("%s %s", ns_g_product, ns_g_version);
-			if (*ns_g_description != 0)
-				printf(" %s", ns_g_description);
-			printf("\n");
+			printf("%s %s%s%s <id:%s>\n",
+			       ns_g_product, ns_g_version,
+			       (*ns_g_description != '\0') ? " " : "",
+			       ns_g_description, ns_g_srcid);
 			exit(0);
 		case 'V':
-			printf("%s %s", ns_g_product, ns_g_version);
-			if (*ns_g_description != 0)
-				printf(" %s", ns_g_description);
-			printf(" <id:%s> built by %s with %s\n", ns_g_srcid,
+			printf("%s %s%s%s <id:%s>\n", ns_g_product, ns_g_version,
+			       (*ns_g_description != '\0') ? " " : "",
+			       ns_g_description, ns_g_srcid);
+			printf("built by %s with %s\n",
 			       ns_g_builder, ns_g_configargs);
 #ifdef __clang__
 			printf("compiled by CLANG %s\n", __VERSION__);
@@ -644,18 +658,20 @@
 #ifdef OPENSSL
 			printf("compiled with OpenSSL version: %s\n",
 			       OPENSSL_VERSION_TEXT);
-#ifndef WIN32
 			printf("linked to OpenSSL version: %s\n",
 			       SSLeay_version(SSLEAY_VERSION));
 #endif
-#endif
 #ifdef HAVE_LIBXML2
 			printf("compiled with libxml2 version: %s\n",
 			       LIBXML_DOTTED_VERSION);
-#ifndef WIN32
 			printf("linked to libxml2 version: %s\n",
 			       xmlParserVersion);
 #endif
+#ifdef HAVE_JSON
+			printf("compiled with libjson-c version: %s\n",
+			       JSON_C_VERSION);
+			printf("linked to libjson-c version: %s\n",
+			       json_c_version());
 #endif
 			exit(0);
 		case 'F':
@@ -665,7 +681,7 @@
 			usage();
 			if (isc_commandline_option == '?')
 				exit(0);
-			p = strchr(CMDLINE_FLAGS, isc_commandline_option);
+			p = strchr(NS_MAIN_ARGS, isc_commandline_option);
 			if (p == NULL || *++p != ':')
 				ns_main_earlyfatal("unknown option '-%c'",
 						   isc_commandline_option);
@@ -776,10 +792,6 @@
 destroy_managers(void) {
 	ns_lwresd_shutdown();
 
-	isc_entropy_detach(&ns_g_entropy);
-	if (ns_g_fallbackentropy != NULL)
-		isc_entropy_detach(&ns_g_fallbackentropy);
-
 	/*
 	 * isc_taskmgr_destroy() will block until all tasks have exited,
 	 */
@@ -978,8 +990,10 @@
 				   isc_result_totext(result));
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
-		      ns_g_version, saved_command_line);
+		      ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>%s",
+		      ns_g_product, ns_g_version,
+		      *ns_g_description ? " " : "", ns_g_description,
+		      ns_g_srcid, saved_command_line);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
@@ -1102,6 +1116,10 @@
 
 	ns_server_destroy(&ns_g_server);
 
+	isc_entropy_detach(&ns_g_entropy);
+	if (ns_g_fallbackentropy != NULL)
+		isc_entropy_detach(&ns_g_fallbackentropy);
+
 	ns_builtin_deinit();
 
 	/*
--- a/external/bsd/bind/dist/bin/named/named.8	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/named.8	Thu Dec 17 04:00:21 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named.8,v 1.7 2014/12/10 04:37:51 christos Exp $
+.\"	$NetBSD: named.8,v 1.8 2015/12/17 04:00:41 christos Exp $
 .\"
-.\" Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -35,7 +35,7 @@
 named \- Internet domain name server
 .SH "SYNOPSIS"
 .HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\fR
@@ -112,6 +112,12 @@
 \fIstderr\fR.
 .RE
 .PP
+\-M \fIoption\fR
+.RS 4
+Sets the default memory context options. Currently the only supported option is
+\fIexternal\fR, which causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions.
+.RE
+.PP
 \-m \fIflag\fR
 .RS 4
 Turn on memory usage debugging flags. Possible flags are
@@ -291,7 +297,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009, 2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/query.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.19 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: query.c,v 1.20 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -130,21 +130,31 @@
 #define NOQNAME(r)		(((r)->attributes & \
 				  DNS_RDATASETATTR_NOQNAME) != 0)
 
-#if 0
-#define CTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_CLIENT, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "client %p: %s", client, (m))
-#define QTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_GENERAL, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "query %p: %s", query, (m))
+#ifdef WANT_QUERYTRACE
+#define CTRACE(l,m)	  do {						\
+	if (client != NULL && client->query.qname != NULL) {		\
+		if (isc_log_wouldlog(ns_g_lctx, l)) {			\
+			char qbuf[DNS_NAME_FORMATSIZE];			\
+			dns_name_format(client->query.qname,		\
+					qbuf, sizeof(qbuf));		\
+			isc_log_write(ns_g_lctx,			\
+				      NS_LOGCATEGORY_CLIENT,		\
+				      NS_LOGMODULE_QUERY,		\
+				      l, "client %p (%s): %s",		\
+				      client, qbuf, (m));		\
+		}							\
+	 } else {							\
+		isc_log_write(ns_g_lctx,				\
+			      NS_LOGCATEGORY_CLIENT,			\
+			      NS_LOGMODULE_QUERY,			\
+			      l, "client %p (<unknown-name>): %s",	\
+			      client, (m));				\
+	}								\
+} while(0)
 #else
-#define CTRACE(m) ((void)m)
-#define QTRACE(m) ((void)m)
-#endif
+#define CTRACE(l,m) ((void)m)
+#endif /* WANT_QUERYTRACE */
+
 
 #define DNS_GETDB_NOEXACT 0x01U
 #define DNS_GETDB_NOLOG 0x02U
@@ -319,13 +329,13 @@
 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
 	dns_rdataset_t *rdataset = *rdatasetp;
 
-	CTRACE("query_putrdataset");
+	CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset");
 	if (rdataset != NULL) {
 		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
 		dns_message_puttemprdataset(client->message, rdatasetp);
 	}
-	CTRACE("query_putrdataset: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset: done");
 }
 
 static inline void
@@ -432,7 +442,7 @@
 	isc_buffer_t *dbuf;
 	isc_result_t result;
 
-	CTRACE("query_newnamebuf");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf");
 	/*%
 	 * Allocate a name buffer.
 	 */
@@ -440,12 +450,13 @@
 	dbuf = NULL;
 	result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_newnamebuf: isc_buffer_allocate failed: done");
 		return (result);
 	}
 	ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
 
-	CTRACE("query_newnamebuf: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf: done");
 	return (ISC_R_SUCCESS);
 }
 
@@ -455,7 +466,7 @@
 	isc_result_t result;
 	isc_region_t r;
 
-	CTRACE("query_getnamebuf");
+	CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf");
 	/*%
 	 * Return a name buffer with space for a maximal name, allocating
 	 * a new one if necessary.
@@ -464,7 +475,8 @@
 	if (ISC_LIST_EMPTY(client->query.namebufs)) {
 		result = query_newnamebuf(client);
 		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
+		    CTRACE(ISC_LOG_DEBUG(3),
+			   "query_getnamebuf: query_newnamebuf failed: done");
 			return (NULL);
 		}
 	}
@@ -475,7 +487,8 @@
 	if (r.length < 255) {
 		result = query_newnamebuf(client);
 		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
+		    CTRACE(ISC_LOG_DEBUG(3),
+			   "query_getnamebuf: query_newnamebuf failed: done");
 			return (NULL);
 
 		}
@@ -483,7 +496,7 @@
 		isc_buffer_availableregion(dbuf, &r);
 		INSIST(r.length >= 255);
 	}
-	CTRACE("query_getnamebuf: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf: done");
 	return (dbuf);
 }
 
@@ -491,7 +504,7 @@
 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
 	isc_region_t r;
 
-	CTRACE("query_keepname");
+	CTRACE(ISC_LOG_DEBUG(3), "query_keepname");
 	/*%
 	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
 	 * adjusted to take account of that.  We do the adjustment.
@@ -515,14 +528,14 @@
 	 * rights on the buffer.
 	 */
 
-	CTRACE("query_releasename");
+	CTRACE(ISC_LOG_DEBUG(3), "query_releasename");
 	if (dns_name_hasbuffer(name)) {
 		INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
 		       != 0);
 		client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
 	}
 	dns_message_puttempname(client->message, namep);
-	CTRACE("query_releasename: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_releasename: done");
 }
 
 static inline dns_name_t *
@@ -535,11 +548,12 @@
 
 	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
 
-	CTRACE("query_newname");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newname");
 	name = NULL;
 	result = dns_message_gettempname(client->message, &name);
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newname: dns_message_gettempname failed: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_newname: dns_message_gettempname failed: done");
 		return (NULL);
 	}
 	isc_buffer_availableregion(dbuf, &r);
@@ -548,7 +562,7 @@
 	dns_name_setbuffer(name, nbuf);
 	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
 
-	CTRACE("query_newname: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newname: done");
 	return (name);
 }
 
@@ -557,16 +571,17 @@
 	dns_rdataset_t *rdataset;
 	isc_result_t result;
 
-	CTRACE("query_newrdataset");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset");
 	rdataset = NULL;
 	result = dns_message_gettemprdataset(client->message, &rdataset);
 	if (result != ISC_R_SUCCESS) {
-	  CTRACE("query_newrdataset: "
+	  CTRACE(ISC_LOG_DEBUG(3),
+		 "query_newrdataset: "
 		 "dns_message_gettemprdataset failed: done");
 		return (NULL);
 	}
 
-	CTRACE("query_newrdataset: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset: done");
 	return (rdataset);
 }
 
@@ -738,8 +753,10 @@
 	 * Get the current version of this database.
 	 */
 	dbversion = query_findversion(client, db);
-	if (dbversion == NULL)
+	if (dbversion == NULL) {
+		CTRACE(ISC_LOG_ERROR, "unable to get db version");
 		return (DNS_R_SERVFAIL);
+	}
 
 	if ((options & DNS_GETDB_IGNOREACL) != 0)
 		goto approved;
@@ -973,7 +990,7 @@
 	dns_dbversion_t *rpz_version = NULL;
 	isc_result_t result;
 
-	CTRACE("rpz_getdb");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_getdb");
 
 	result = query_getzonedb(client, p_name, dns_rdatatype_any,
 				 DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
@@ -1200,7 +1217,7 @@
 	dns_name_t *mname = NULL;
 	isc_result_t result;
 
-	CTRACE("query_isduplicate");
+	CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate");
 
 	for (section = DNS_SECTION_ANSWER;
 	     section <= DNS_SECTION_ADDITIONAL;
@@ -1211,7 +1228,8 @@
 			/*
 			 * We've already got this RRset in the response.
 			 */
-			CTRACE("query_isduplicate: true: done");
+			CTRACE(ISC_LOG_DEBUG(3),
+			       "query_isduplicate: true: done");
 			return (ISC_TRUE);
 		} else if (result == DNS_R_NXRRSET) {
 			/*
@@ -1227,7 +1245,7 @@
 	if (mnamep != NULL)
 		*mnamep = mname;
 
-	CTRACE("query_isduplicate: false: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done");
 	return (ISC_FALSE);
 }
 
@@ -1254,7 +1272,7 @@
 	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
 		return (ISC_R_SUCCESS);
 
-	CTRACE("query_addadditional");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional");
 
 	/*
 	 * Initialization.
@@ -1310,7 +1328,7 @@
 	if (result != ISC_R_SUCCESS)
 		goto try_cache;
 
-	CTRACE("query_addadditional: db_find");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: db_find");
 
 	/*
 	 * Since we are looking for authoritative data, we do not set
@@ -1582,7 +1600,7 @@
 	}
 
  addname:
-	CTRACE("query_addadditional: addname");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: addname");
 	/*
 	 * If we haven't added anything, then we're done.
 	 */
@@ -1622,7 +1640,7 @@
 	}
 
  cleanup:
-	CTRACE("query_addadditional: cleanup");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: cleanup");
 	query_putrdataset(client, &rdataset);
 	if (sigrdataset != NULL)
 		query_putrdataset(client, &sigrdataset);
@@ -1635,7 +1653,7 @@
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 
-	CTRACE("query_addadditional: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: done");
 	return (eresult);
 }
 
@@ -1753,7 +1771,7 @@
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client);
 
-	CTRACE("query_addadditional2");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2");
 
 	/*
 	 * We treat type A additional section processing as if it
@@ -1785,14 +1803,16 @@
 	if (result != ISC_R_SUCCESS)
 		goto findauthdb;
 	if (zone == NULL) {
-		CTRACE("query_addadditional2: auth zone not found");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addadditional2: auth zone not found");
 		goto try_cache;
 	}
 
 	/* Is the cached DB up-to-date? */
 	result = query_iscachevalid(zone, cdb, NULL, cversion);
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addadditional2: old auth additional cache");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addadditional2: old auth additional cache");
 		query_discardcache(client, rdataset_base, additionaltype,
 				   type, &zone, &cdb, &cversion, &cnode,
 				   &cfname);
@@ -1805,7 +1825,8 @@
 		 * ACL, since the result (not using this zone) would be same
 		 * regardless of the result.
 		 */
-		CTRACE("query_addadditional2: negative auth additional cache");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addadditional2: negative auth additional cache");
 		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
 		dns_db_detach(&cdb);
 		dns_zone_detach(&zone);
@@ -1822,7 +1843,8 @@
 	}
 
 	/* We've got an active cache. */
-	CTRACE("query_addadditional2: auth additional cache");
+	CTRACE(ISC_LOG_DEBUG(3),
+	       "query_addadditional2: auth additional cache");
 	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
 	db = cdb;
 	node = cnode;
@@ -1846,7 +1868,7 @@
 		goto try_cache;
 	}
 
-	CTRACE("query_addadditional2: db_find");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: db_find");
 
 	/*
 	 * Since we are looking for authoritative data, we do not set
@@ -1931,7 +1953,8 @@
 
 	result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addadditional2: old glue additional cache");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addadditional2: old glue additional cache");
 		query_discardcache(client, rdataset_base, additionaltype,
 				   type, &zone, &cdb, &cversion, &cnode,
 				   &cfname);
@@ -1940,14 +1963,15 @@
 
 	if (cnode == NULL) {
 		/* We have a negative cache. */
-		CTRACE("query_addadditional2: negative glue additional cache");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addadditional2: negative glue additional cache");
 		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
 		dns_db_detach(&cdb);
 		goto cleanup;
 	}
 
 	/* Cache hit. */
-	CTRACE("query_addadditional2: glue additional cache");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: glue additional cache");
 	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
 	db = cdb;
 	node = cnode;
@@ -2130,7 +2154,7 @@
 		}
 	}
 
-	CTRACE("query_addadditional2: addname");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: addname");
 
 	/*
 	 * If we haven't added anything, then we're done.
@@ -2149,7 +2173,7 @@
 	fname = NULL;
 
  cleanup:
-	CTRACE("query_addadditional2: cleanup");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: cleanup");
 
 	if (rdataset != NULL)
 		query_putrdataset(client, &rdataset);
@@ -2168,7 +2192,7 @@
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 
-	CTRACE("query_addadditional2: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: done");
 	return (eresult);
 }
 
@@ -2183,7 +2207,7 @@
 	 * 'fname', a name in the response message for 'client'.
 	 */
 
-	CTRACE("query_addrdataset");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset");
 
 	ISC_LIST_APPEND(fname->list, rdataset, link);
 
@@ -2205,7 +2229,7 @@
 	additionalctx.rdataset = rdataset;
 	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
 					  &additionalctx);
-	CTRACE("query_addrdataset: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
 }
 
 static isc_result_t
@@ -2237,7 +2261,7 @@
 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
 	 * when it returns the name will either have been kept or released.
 	 */
-	CTRACE("query_dns64");
+	CTRACE(ISC_LOG_DEBUG(3), "query_dns64");
 	name = *namep;
 	mname = NULL;
 	mrdataset = NULL;
@@ -2254,7 +2278,8 @@
 		 * We've already got an RRset of the given name and type.
 		 * There's nothing else to do;
 		 */
-		CTRACE("query_dns64: dns_message_findname succeeded: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_dns64: dns_message_findname succeeded: done");
 		if (dbuf != NULL)
 			query_releasename(client, namep);
 		return (ISC_R_SUCCESS);
@@ -2384,7 +2409,7 @@
 		dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
 	}
 
-	CTRACE("query_dns64: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done");
 	return (result);
 }
 
@@ -2403,7 +2428,7 @@
 	isc_result_t result;
 	unsigned int i;
 
-	CTRACE("query_filter64");
+	CTRACE(ISC_LOG_DEBUG(3), "query_filter64");
 
 	INSIST(client->query.dns64_aaaaok != NULL);
 	INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
@@ -2423,7 +2448,8 @@
 		 * We've already got an RRset of the given name and type.
 		 * There's nothing else to do;
 		 */
-		CTRACE("query_filter64: dns_message_findname succeeded: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_filter64: dns_message_findname succeeded: done");
 		if (dbuf != NULL)
 			query_releasename(client, namep);
 		return;
@@ -2521,7 +2547,7 @@
 	if (dbuf != NULL)
 		query_releasename(client, &name);
 
-	CTRACE("query_filter64: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done");
 }
 
 static void
@@ -2543,7 +2569,7 @@
 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
 	 * when it returns the name will either have been kept or released.
 	 */
-	CTRACE("query_addrrset");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrrset");
 	name = *namep;
 	rdataset = *rdatasetp;
 	if (sigrdatasetp != NULL)
@@ -2559,7 +2585,8 @@
 		/*
 		 * We've already got an RRset of the given name and type.
 		 */
-		CTRACE("query_addrrset: dns_message_findname succeeded: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addrrset: dns_message_findname succeeded: done");
 		if (dbuf != NULL)
 			query_releasename(client, namep);
 		if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0)
@@ -2598,7 +2625,7 @@
 		ISC_LIST_APPEND(mname->list, sigrdataset, link);
 		*sigrdatasetp = NULL;
 	}
-	CTRACE("query_addrrset: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done");
 }
 
 static inline isc_result_t
@@ -2614,7 +2641,7 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
-	CTRACE("query_addsoa");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addsoa");
 	/*
 	 * Initialization.
 	 */
@@ -2642,12 +2669,14 @@
 	dns_name_clone(dns_db_origin(db), name);
 	rdataset = query_newrdataset(client);
 	if (rdataset == NULL) {
+		CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset");
 		eresult = DNS_R_SERVFAIL;
 		goto cleanup;
 	}
 	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
+			CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset");
 			eresult = DNS_R_SERVFAIL;
 			goto cleanup;
 		}
@@ -2677,6 +2706,7 @@
 		 * This is bad.  We tried to get the SOA RR at the zone top
 		 * and it didn't work!
 		 */
+		CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex");
 		eresult = DNS_R_SERVFAIL;
 	} else {
 		/*
@@ -2741,7 +2771,7 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
-	CTRACE("query_addns");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns");
 	/*
 	 * Initialization.
 	 */
@@ -2759,21 +2789,24 @@
 	 */
 	result = dns_message_gettempname(client->message, &name);
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: dns_message_gettempname failed: done");
+		CTRACE(ISC_LOG_DEBUG(3),
+		       "query_addns: dns_message_gettempname failed: done");
 		return (result);
 	}
 	dns_name_init(name, NULL);
 	dns_name_clone(dns_db_origin(db), name);
 	rdataset = query_newrdataset(client);
 	if (rdataset == NULL) {
-		CTRACE("query_addns: query_newrdataset failed");
+		CTRACE(ISC_LOG_ERROR,
+		       "query_addns: query_newrdataset failed");
 		eresult = DNS_R_SERVFAIL;
 		goto cleanup;
 	}
 	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
-			CTRACE("query_addns: query_newrdataset failed");
+			CTRACE(ISC_LOG_ERROR,
+			       "query_addns: query_newrdataset failed");
 			eresult = DNS_R_SERVFAIL;
 			goto cleanup;
 		}
@@ -2788,14 +2821,15 @@
 					     dns_rdatatype_ns, 0, client->now,
 					     rdataset, sigrdataset);
 	} else {
-		CTRACE("query_addns: calling dns_db_find");
+		CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find");
 		result = dns_db_findext(db, name, NULL, dns_rdatatype_ns,
 					client->query.dboptions, 0, &node,
 					fname, &cm, &ci, rdataset, sigrdataset);
-		CTRACE("query_addns: dns_db_find complete");
+		CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete");
 	}
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: "
+		CTRACE(ISC_LOG_ERROR,
+		       "query_addns: "
 		       "dns_db_findrdataset or dns_db_find failed");
 		/*
 		 * This is bad.  We tried to get the NS rdataset at the zone
@@ -2812,7 +2846,7 @@
 	}
 
  cleanup:
-	CTRACE("query_addns: cleanup");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup");
 	query_putrdataset(client, &rdataset);
 	if (sigrdataset != NULL)
 		query_putrdataset(client, &sigrdataset);
@@ -2821,7 +2855,7 @@
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
 
-	CTRACE("query_addns: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns: done");
 	return (eresult);
 }
 
@@ -2872,7 +2906,6 @@
 		return (result);
 	}
 	rdatalist->type = dns_rdatatype_cname;
-	rdatalist->covers = 0;
 	rdatalist->rdclass = client->message->rdclass;
 	rdatalist->ttl = ttl;
 
@@ -3088,7 +3121,7 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
-	CTRACE("query_addbestns");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addbestns");
 	fname = NULL;
 	zfname = NULL;
 	rdataset = NULL;
@@ -3293,7 +3326,7 @@
 	isc_result_t result;
 	unsigned int count;
 
-	CTRACE("query_addds");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addds");
 	rname = NULL;
 	rdataset = NULL;
 	sigrdataset = NULL;
@@ -3423,7 +3456,7 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
-	CTRACE("query_addwildcardproof");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof");
 	fname = NULL;
 	rdataset = NULL;
 	sigrdataset = NULL;
@@ -3787,9 +3820,10 @@
 		if (devent->sigrdataset != NULL)
 			query_putrdataset(client, &devent->sigrdataset);
 		isc_event_free(&event);
-		if (fetch_canceled)
+		if (fetch_canceled) {
+			CTRACE(ISC_LOG_ERROR, "fetch cancelled");
 			query_error(client, DNS_R_SERVFAIL, __LINE__);
-		else
+		} else
 			query_next(client, ISC_R_CANCELED);
 		/*
 		 * This may destroy the client.
@@ -4049,12 +4083,15 @@
 rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) {
 	REQUIRE(rdatasetp != NULL);
 
-	CTRACE("rpz_ready");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_ready");
 
 	if (*rdatasetp == NULL) {
 		*rdatasetp = query_newrdataset(client);
-		if (*rdatasetp == NULL)
+		if (*rdatasetp == NULL) {
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_ready: query_newrdataset failed");
 			return (DNS_R_SERVFAIL);
+		}
 	} else if (dns_rdataset_isassociated(*rdatasetp)) {
 		dns_rdataset_disassociate(*rdatasetp);
 	}
@@ -4065,7 +4102,7 @@
 rpz_st_clear(ns_client_t *client) {
 	dns_rpz_st_t *st = client->query.rpz_st;
 
-	CTRACE("rpz_st_clear");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_st_clear");
 
 	if (st->m.rdataset != NULL)
 		query_putrdataset(client, &st->m.rdataset);
@@ -4175,7 +4212,7 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
-	CTRACE("rpz_rrset_find");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rrset_find");
 
 	st = client->query.rpz_st;
 	if ((st->state & DNS_RPZ_RECURSING) != 0) {
@@ -4193,6 +4230,7 @@
 		st->r.r_rdataset = NULL;
 		result = st->r.r_result;
 		if (result == DNS_R_DELEGATION) {
+			CTRACE(ISC_LOG_ERROR, "RPZ recursing");
 			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
 				     rpz_type, " rpz_rrset_find(1)", result);
 			st->m.policy = DNS_RPZ_POLICY_ERROR;
@@ -4283,7 +4321,7 @@
 	unsigned int first, labels;
 	isc_result_t result;
 
-	CTRACE("rpz_get_p_name");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_get_p_name");
 
 	/*
 	 * The policy owner name consists of a suffix depending on the type
@@ -4371,7 +4409,7 @@
 
 	REQUIRE(nodep != NULL);
 
-	CTRACE("rpz_find_p");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_find_p");
 
 	/*
 	 * Try to find either a CNAME or the type of record demanded by the
@@ -4379,8 +4417,10 @@
 	 */
 	rpz_clean(zonep, dbp, nodep, rdatasetp);
 	result = rpz_ready(client, rdatasetp);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		CTRACE(ISC_LOG_ERROR, "rpz_ready() failed");
 		return (DNS_R_SERVFAIL);
+	}
 	*versionp = NULL;
 	result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp);
 	if (result != ISC_R_SUCCESS)
@@ -4404,6 +4444,8 @@
 		if (result != ISC_R_SUCCESS) {
 			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name,
 				     rpz_type, " allrdatasets()", result);
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_find_p: allrdatasets failed");
 			return (DNS_R_SERVFAIL);
 		}
 		for (result = dns_rdatasetiter_first(rdsiter);
@@ -4421,6 +4463,9 @@
 				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
 					     p_name, rpz_type,
 					     " rdatasetiter", result);
+				CTRACE(ISC_LOG_ERROR,
+				       "rpz_find_p: rdatasetiter_destroy "
+				       "failed");
 				return (DNS_R_SERVFAIL);
 			}
 			/*
@@ -4475,6 +4520,8 @@
 	default:
 		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type,
 			     "", result);
+		CTRACE(ISC_LOG_ERROR,
+		       "rpz_find_p: unexpected result");
 		return (DNS_R_SERVFAIL);
 	}
 }
@@ -4538,7 +4585,7 @@
 	dns_rpz_policy_t policy;
 	isc_result_t result;
 
-	CTRACE("rpz_rewrite_ip");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip");
 
 	dns_fixedname_init(&ip_namef);
 	ip_name = dns_fixedname_name(&ip_namef);
@@ -4593,7 +4640,8 @@
 			 * data can out of date during races with and among
 			 * policy zone updates.
 			 */
-			CTRACE("rpz_rewrite_ip: mismatched summary data; "
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_rewrite_ip: mismatched summary data; "
 			       "continuing");
 			continue;
 		case DNS_R_SERVFAIL:
@@ -4632,7 +4680,8 @@
 			 * ensures that we found the longest match.
 			 */
 			if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
-				CTRACE("rpz_rewrite_ip: rpz_save_p");
+				CTRACE(ISC_LOG_DEBUG(3),
+				       "rpz_rewrite_ip: rpz_save_p");
 				rpz_save_p(st, rpz, rpz_type,
 					   policy, p_name, prefix, result,
 					   &p_zone, &p_db, &p_node,
@@ -4671,7 +4720,7 @@
 	struct in6_addr in6a;
 	isc_result_t result;
 
-	CTRACE("rpz_rewrite_ip_rrset");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
 
 	zbits = rpz_get_zbits(client, ip_type, rpz_type);
 	if (zbits == 0)
@@ -4711,6 +4760,8 @@
 				     rpz_type, " NS address rewrite rrset",
 				     result);
 		}
+		CTRACE(ISC_LOG_ERROR,
+		       "rpz_rewrite_ip_rrset: unexpected result");
 		return (DNS_R_SERVFAIL);
 	}
 
@@ -4762,7 +4813,7 @@
 	dns_rdataset_t *p_rdataset;
 	isc_result_t result;
 
-	CTRACE("rpz_rewrite_ip_rrsets");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrsets");
 
 	st = client->query.rpz_st;
 	ip_version = NULL;
@@ -4830,7 +4881,7 @@
 	dns_rpz_policy_t policy;
 	isc_result_t result;
 
-	CTRACE("rpz_rewrite_name");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name");
 
 	zbits = rpz_get_zbits(client, qtype, rpz_type);
 	zbits &= allowed_zbits;
@@ -4840,16 +4891,14 @@
 	rpzs = client->view->rpzs;
 
 	/*
-	 * If there is only one eligible policy zone, just check it.
-	 * If more than one, then use the summary database to find
-	 * the bit mask of policy zones with policies for this trigger name.
-	 *	x&(~x+1) is the least significant bit set in x
-	 */
-	if (zbits != (zbits & (~zbits + 1))) {
-		zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
-		if (zbits == 0)
-			return (ISC_R_SUCCESS);
-	}
+	 * Use the summary database to find the bit mask of policy zones
+	 * with policies for this trigger name. We do this even if there
+	 * is only one eligible policy zone so that wildcard triggers
+	 * are matched correctly, and not into their parent.
+	 */
+	zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
+	if (zbits == 0)
+		return (ISC_R_SUCCESS);
 
 	dns_fixedname_init(&p_namef);
 	p_name = dns_fixedname_name(&p_namef);
@@ -4904,7 +4953,8 @@
 			 * data can out of date during races with and among
 			 * policy zone updates.
 			 */
-			CTRACE("rpz_rewrite_name: mismatched summary data; "
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_rewrite_name: mismatched summary data; "
 			       "continuing");
 			continue;
 		case DNS_R_SERVFAIL:
@@ -4961,7 +5011,8 @@
 			}
 #endif
 			if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
-				CTRACE("rpz_rewrite_name: rpz_save_p");
+				CTRACE(ISC_LOG_DEBUG(3),
+				       "rpz_rewrite_name: rpz_save_p");
 				rpz_save_p(st, rpz, rpz_type,
 					   policy, p_name, 0, result,
 					   &p_zone, &p_db, &p_node,
@@ -4993,7 +5044,7 @@
 {
 	dns_rpz_st_t *st;
 
-	CTRACE("rpz_rewrite_ns_skip");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ns_skip");
 
 	st = client->query.rpz_st;
 
@@ -5027,7 +5078,7 @@
 	dns_rpz_popt_t popt;
 	int rpz_ver;
 
-	CTRACE("rpz_rewrite");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite");
 
 	rpzs = client->view->rpzs;
 	st = client->query.rpz_st;
@@ -5387,6 +5438,7 @@
 		rpz_match_clear(st);
 	}
 	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
+		CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy");
 		st->m.type = DNS_RPZ_TYPE_BAD;
 		result = DNS_R_SERVFAIL;
 	}
@@ -5411,7 +5463,7 @@
 	dns_rdatatype_t type;
 	isc_result_t result;
 
-	CTRACE("rpz_ck_dnssec");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_ck_dnssec");
 
 	if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client))
 		return (ISC_TRUE);
@@ -5477,7 +5529,7 @@
 	unsigned int labels;
 	isc_result_t result;
 
-	CTRACE("rpz_add_cname");
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_add_cname");
 
 	labels = dns_name_countlabels(cname);
 	if (labels > 2 && dns_name_iswildcard(cname)) {
@@ -5624,7 +5676,7 @@
 	dns_rdataset_t *neg, *negsig;
 	isc_result_t result = ISC_R_NOMEMORY;
 
-	CTRACE("query_addnoqnameproof");
+	CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof");
 
 	fname = NULL;
 	neg = NULL;
@@ -6038,7 +6090,7 @@
 	dns_clientinfo_t ci;
 	ns_dbversion_t *dbversion;
 
-	CTRACE("redirect");
+	CTRACE(ISC_LOG_DEBUG(3), "redirect");
 
 	if (client->view->redirect == NULL)
 		return (ISC_R_NOTFOUND);
@@ -6112,7 +6164,7 @@
 		return (ISC_R_NOTFOUND);
 	}
 
-	CTRACE("redirect: found data: done");
+	CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done");
 	dns_name_copy(found, name, NULL);
 	if (dns_rdataset_isassociated(rdataset))
 		dns_rdataset_disassociate(rdataset);
@@ -6179,11 +6231,12 @@
 	isc_boolean_t redirected = ISC_FALSE;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	char errmsg[256];
 	isc_boolean_t associated;
 	dns_section_t section;
 	dns_ttl_t ttl;
 
-	CTRACE("query_find");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find");
 
 	/*
 	 * One-time initialization.
@@ -6227,7 +6280,7 @@
 		if (rpz_st != NULL &&
 		    (rpz_st->state & DNS_RPZ_RECURSING) != 0)
 		{
-			CTRACE("resume from RPZ recursion");
+			CTRACE(ISC_LOG_DEBUG(3), "resume from RPZ recursion");
 
 			is_zone = rpz_st->q.is_zone;
 			authoritative = rpz_st->q.authoritative;
@@ -6250,7 +6303,8 @@
 			rpz_st->r.r_rdataset = event->rdataset;
 			query_putrdataset(client, &event->sigrdataset);
 		} else {
-			CTRACE("resume from normal recursion");
+			CTRACE(ISC_LOG_DEBUG(3),
+			       "resume from normal recursion");
 			authoritative = ISC_FALSE;
 
 			qtype = event->qtype;
@@ -6298,11 +6352,15 @@
 		 */
 		dbuf = query_getnamebuf(client);
 		if (dbuf == NULL) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: query_getnamebuf failed (1)");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
 		fname = query_newname(client, dbuf, &b);
 		if (fname == NULL) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: query_newname failed (1)");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -6314,6 +6372,8 @@
 		}
 		result = dns_name_copy(tname, fname, NULL);
 		if (result != ISC_R_SUCCESS) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: dns_name_copy failed");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -6342,7 +6402,7 @@
 		type = qtype;
 
  restart:
-	CTRACE("query_find: restart");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: restart");
 	want_restart = ISC_FALSE;
 	authoritative = ISC_FALSE;
 	version = NULL;
@@ -6418,8 +6478,11 @@
 				inc_stats(client, dns_nsstatscounter_authrej);
 			if (!PARTIALANSWER(client))
 				QUERY_ERROR(DNS_R_REFUSED);
-		} else
+		} else {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: query_getdb failed");
 			QUERY_ERROR(DNS_R_SERVFAIL);
+		}
 		goto cleanup;
 	}
 
@@ -6452,24 +6515,30 @@
 	}
 
  db_find:
-	CTRACE("query_find: db_find");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find");
 	/*
 	 * We'll need some resources...
 	 */
 	dbuf = query_getnamebuf(client);
 	if (dbuf == NULL) {
+		CTRACE(ISC_LOG_ERROR,
+		       "query_find: query_getnamebuf failed (2)");
 		QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
 	fname = query_newname(client, dbuf, &b);
 	rdataset = query_newrdataset(client);
 	if (fname == NULL || rdataset == NULL) {
+		CTRACE(ISC_LOG_ERROR,
+		       "query_find: query_newname failed (2)");
 		QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
 	if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: query_newrdataset failed (2)");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -6486,7 +6555,7 @@
 		dns_cache_updatestats(client->view->cache, result);
 
  resume:
-	CTRACE("query_find: resume");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: resume");
 
 	/*
 	 * Rate limit these responses to this client.
@@ -6852,6 +6921,8 @@
 				goto cleanup;
 			} else {
 				/* Unable to give root server referral. */
+				CTRACE(ISC_LOG_ERROR,
+				       "unable to give root server referral");
 				QUERY_ERROR(DNS_R_SERVFAIL);
 				goto cleanup;
 			}
@@ -7114,11 +7185,17 @@
 			if (fname == NULL) {
 				dbuf = query_getnamebuf(client);
 				if (dbuf == NULL) {
+					CTRACE(ISC_LOG_ERROR,
+					       "query_find: "
+					       "query_getnamebuf failed (3)");
 					QUERY_ERROR(DNS_R_SERVFAIL);
 					goto cleanup;
 				}
 				fname = query_newname(client, dbuf, &b);
 				if (fname == NULL) {
+					CTRACE(ISC_LOG_ERROR,
+					       "query_find: "
+					       "query_newname failed (3)");
 					QUERY_ERROR(DNS_R_SERVFAIL);
 					goto cleanup;
 				}
@@ -7219,6 +7296,10 @@
 					if (fname == NULL ||
 					    rdataset == NULL ||
 					    sigrdataset == NULL) {
+						CTRACE(ISC_LOG_ERROR,
+						       "query_find: "
+						       "failure getting "
+						       "closest encloser");
 						QUERY_ERROR(DNS_R_SERVFAIL);
 						goto cleanup;
 					}
@@ -7421,11 +7502,17 @@
 			if (fname == NULL) {
 				dbuf = query_getnamebuf(client);
 				if (dbuf == NULL) {
+					CTRACE(ISC_LOG_ERROR,
+					       "query_find: "
+					       "query_getnamebuf failed (4)");
 					QUERY_ERROR(DNS_R_SERVFAIL);
 					goto cleanup;
 				}
 				fname = query_newname(client, dbuf, &b);
 				if (fname == NULL) {
+					CTRACE(ISC_LOG_ERROR,
+					       "query_find: "
+					       "query_newname failed (4)");
 					QUERY_ERROR(DNS_R_SERVFAIL);
 					goto cleanup;
 				}
@@ -7682,6 +7769,10 @@
 		/*
 		 * Something has gone wrong.
 		 */
+		snprintf(errmsg, sizeof(errmsg) - 1,
+			 "query_find: unexpected error after resuming: %s",
+			 isc_result_totext(result));
+		CTRACE(ISC_LOG_ERROR, errmsg);
 		QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
@@ -7740,6 +7831,8 @@
 		rdsiter = NULL;
 		result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
 		if (result != ISC_R_SUCCESS) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: type any; allrdatasets failed");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -7874,12 +7967,18 @@
 				dns_rdatasetiter_destroy(&rdsiter);
 				fname = query_newname(client, dbuf, &b);
 				goto nxrrset_rrsig;
-			} else
+			} else {
+				CTRACE(ISC_LOG_ERROR,
+				       "query_find: no matching rdatasets "
+				       "in cache");
 				result = DNS_R_SERVFAIL;
+			}
 		}
 
 		dns_rdatasetiter_destroy(&rdsiter);
 		if (result != ISC_R_NOMORE) {
+			CTRACE(ISC_LOG_ERROR,
+			       "query_find: dns_rdatasetiter_destroy failed");
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -8103,7 +8202,7 @@
 	}
 
  addauth:
-	CTRACE("query_find: addauth");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: addauth");
 	/*
 	 * Add NS records to the authority section (if we haven't already
 	 * added them to the answer section).
@@ -8131,7 +8230,7 @@
 				       dns_fixedname_name(&wildcardname),
 				       ISC_TRUE, ISC_FALSE);
  cleanup:
-	CTRACE("query_find: cleanup");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup");
 	/*
 	 * General cleanup.
 	 */
@@ -8239,7 +8338,7 @@
 		query_send(client);
 		ns_client_detach(&client);
 	}
-	CTRACE("query_find: done");
+	CTRACE(ISC_LOG_DEBUG(3), "query_find: done");
 
 	return (eresult);
 }
@@ -8327,7 +8426,7 @@
 	unsigned int saved_extflags = client->extflags;
 	unsigned int saved_flags = client->message->flags;
 
-	CTRACE("ns_query_start");
+	CTRACE(ISC_LOG_DEBUG(3), "ns_query_start");
 
 	/*
 	 * Test only.
--- a/external/bsd/bind/dist/bin/named/server.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/server.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: server.c,v 1.19 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: server.c,v 1.20 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -218,6 +218,8 @@
 	isc_mem_t			*mctx;
 	isc_boolean_t			dumpcache;
 	isc_boolean_t			dumpzones;
+	isc_boolean_t			dumpadb;
+	isc_boolean_t			dumpbad;
 	FILE				*fp;
 	ISC_LIST(struct viewlistentry)	viewlist;
 	struct viewlistentry		*view;
@@ -375,6 +377,9 @@
 	/* Example Prefix, RFC 3849. */
 	"8.B.D.0.1.0.0.2.IP6.ARPA",
 
+	/* RFC 7534 */
+	"EMPTY.AS112.ARPA",
+
 	NULL
 };
 
@@ -2079,18 +2084,20 @@
 	isc_result_t result;
 	unsigned char buf[DNS_SOA_BUFFERSIZE];
 
-	dns_rdataset_init(&rdataset);
-	dns_rdatalist_init(&rdatalist);
 	CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db),
 				 0, 28800, 7200, 604800, 86400, buf, &rdata));
+
+	dns_rdatalist_init(&rdatalist);
 	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
 	rdatalist.rdclass = rdata.rdclass;
 	rdatalist.ttl = 86400;
 	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&rdataset);
 	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
 	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
 	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+
  cleanup:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
@@ -2112,8 +2119,6 @@
 
 	isc_buffer_init(&b, buf, sizeof(buf));
 
-	dns_rdataset_init(&rdataset);
-	dns_rdatalist_init(&rdatalist);
 	ns.common.rdtype = dns_rdatatype_ns;
 	ns.common.rdclass = dns_db_class(db);
 	ns.mctx = NULL;
@@ -2121,14 +2126,18 @@
 	dns_name_clone(nsname, &ns.name);
 	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
 				   &ns, &b));
+
+	dns_rdatalist_init(&rdatalist);
 	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
 	rdatalist.rdclass = rdata.rdclass;
 	rdatalist.ttl = 86400;
 	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&rdataset);
 	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
 	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
 	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+
  cleanup:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
@@ -2190,8 +2199,8 @@
 
 		obj = NULL;
 		(void)cfg_map_get(zoptions, "type", &obj);
-		INSIST(obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "forward") == 0) {
+		if (obj != NULL &&
+		    strcasecmp(cfg_obj_asstring(obj), "forward") == 0) {
 			obj = NULL;
 			(void)cfg_map_get(zoptions, "forward", &obj);
 			if (obj == NULL)
@@ -2339,6 +2348,9 @@
 	char **dlzargv;
 	const cfg_obj_t *disabled;
 	const cfg_obj_t *obj;
+#ifdef ENABLE_FETCHLIMIT
+	const cfg_obj_t *obj2;
+#endif /* ENABLE_FETCHLIMIT */
 	const cfg_listelt_t *element;
 	in_port_t port;
 	dns_cache_t *cache = NULL;
@@ -2996,6 +3008,55 @@
 	}
 	dns_adb_setadbsize(view->adb, max_adb_size);
 
+#ifdef ENABLE_FETCHLIMIT
+	/*
+	 * Set up ADB quotas
+	 */
+	{
+		isc_uint32_t fps, freq;
+		double low, high, discount;
+
+		obj = NULL;
+		result = ns_config_get(maps, "fetches-per-server", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		obj2 = cfg_tuple_get(obj, "fetches");
+		fps = cfg_obj_asuint32(obj2);
+		obj2 = cfg_tuple_get(obj, "response");
+		if (!cfg_obj_isvoid(obj2)) {
+			const char *resp = cfg_obj_asstring(obj2);
+			isc_result_t r;
+
+			if (strcasecmp(resp, "drop") == 0)
+				r = DNS_R_DROP;
+			else if (strcasecmp(resp, "fail") == 0)
+				r = DNS_R_SERVFAIL;
+			else
+				INSIST(0);
+
+			dns_resolver_setquotaresponse(view->resolver,
+						      dns_quotatype_server, r);
+		}
+
+		obj = NULL;
+		result = ns_config_get(maps, "fetch-quota-params", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+
+		obj2 = cfg_tuple_get(obj, "frequency");
+		freq = cfg_obj_asuint32(obj2);
+
+		obj2 = cfg_tuple_get(obj, "low");
+		low = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		obj2 = cfg_tuple_get(obj, "high");
+		high = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		obj2 = cfg_tuple_get(obj, "discount");
+		discount = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		dns_adb_setquota(view->adb, fps, freq, low, high, discount);
+	}
+#endif /* ENABLE_FETCHLIMIT */
+
 	/*
 	 * Set resolver's lame-ttl.
 	 */
@@ -3459,6 +3520,29 @@
 	INSIST(result == ISC_R_SUCCESS);
 	dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
 
+#ifdef ENABLE_FETCHLIMIT
+	obj = NULL;
+	result = ns_config_get(maps, "fetches-per-zone", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	obj2 = cfg_tuple_get(obj, "fetches");
+	dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2));
+	obj2 = cfg_tuple_get(obj, "response");
+	if (!cfg_obj_isvoid(obj2)) {
+		const char *resp = cfg_obj_asstring(obj2);
+		isc_result_t r;
+
+		if (strcasecmp(resp, "drop") == 0)
+			r = DNS_R_DROP;
+		else if (strcasecmp(resp, "fail") == 0)
+			r = DNS_R_SERVFAIL;
+		else
+			INSIST(0);
+
+		dns_resolver_setquotaresponse(view->resolver,
+					      dns_quotatype_zone, r);
+	}
+#endif /* ENABLE_FETCHLIMIT */
+
 #ifdef ALLOW_FILTER_AAAA
 	obj = NULL;
 	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
@@ -3593,18 +3677,19 @@
 
 	obj = NULL;
 	result = ns_config_get(maps, "root-delegation-only", &obj);
-	if (result == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
+		dns_view_setrootdelonly(view, ISC_TRUE);
+	if (result == ISC_R_SUCCESS && ! cfg_obj_isvoid(obj)) {
+		const cfg_obj_t *exclude;
 		dns_fixedname_t fixed;
 		dns_name_t *name;
-		const cfg_obj_t *exclude;
-
-		dns_view_setrootdelonly(view, ISC_TRUE);
 
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
 		for (element = cfg_list_first(obj);
 		     element != NULL;
-		     element = cfg_list_next(element)) {
+		     element = cfg_list_next(element))
+		{
 			exclude = cfg_listelt_value(element);
 			CHECK(dns_name_fromstring(name,
 						  cfg_obj_asstring(exclude),
@@ -5347,6 +5432,9 @@
 	ns_cachelist_t cachelist, tmpcachelist;
 	struct cfg_context *nzctx;
 	unsigned int maxsocks;
+#ifdef ENABLE_FETCHLIMIT
+	isc_uint32_t softquota = 0;
+#endif /* ENABLE_FETCHLIMIT */
 
 	ISC_LIST_INIT(viewlist);
 	ISC_LIST_INIT(builtin_viewlist);
@@ -5527,11 +5615,30 @@
 	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
 	configure_server_quota(maps, "recursive-clients",
 			       &server->recursionquota);
-	if (server->recursionquota.max > 1000)
+
+#ifdef ENABLE_FETCHLIMIT
+	if (server->recursionquota.max > 1000) {
+		int margin = ISC_MAX(100, ns_g_cpus + 1);
+		if (margin > server->recursionquota.max - 100) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "'recursive-clients %d' too low when "
+				      "running with %d worker threads",
+				      server->recursionquota.max, ns_g_cpus);
+			CHECK(ISC_R_RANGE);
+		}
+		softquota = server->recursionquota.max - margin;
+	} else
+		softquota = (server->recursionquota.max * 90) / 100;
+
+	isc_quota_soft(&server->recursionquota, softquota);
+#else
+	if (server->recursionquota.max > 1000) {
 		isc_quota_soft(&server->recursionquota,
 			       server->recursionquota.max - 100);
-	else
+	} else
 		isc_quota_soft(&server->recursionquota, 0);
+#endif /* !ENABLE_FETCHLIMIT */
 
 	CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
 				 ns_g_aclconfctx, ns_g_mctx,
@@ -6279,6 +6386,8 @@
 	if (view != NULL)
 		dns_view_detach(&view);
 
+	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
+
 	/*
 	 * This cleans up either the old production view list
 	 * or our temporary list depending on whether they
@@ -6623,7 +6732,6 @@
 	result = isc_quota_init(&server->recursionquota, 100);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
-
 	result = dns_aclenv_init(mctx, &server->aclenv);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
@@ -6979,25 +7087,6 @@
 	return (result);
 }
 
-static void
-reconfig(ns_server_t *server) {
-	isc_result_t result;
-	CHECK(loadconfig(server));
-
-	result = load_new_zones(server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "any newly configured zones are now loaded");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "loading new zones failed: %s",
-			      isc_result_totext(result));
-
- cleanup: ;
-}
-
 /*
  * Handle a reload event (from SIGHUP).
  */
@@ -7254,11 +7343,23 @@
  * Act on a "reconfig" command from the command channel.
  */
 isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args) {
-	UNUSED(args);
-
-	reconfig(server);
-	return (ISC_R_SUCCESS);
+ns_server_reconfigcommand(ns_server_t *server) {
+	isc_result_t result;
+
+	CHECK(loadconfig(server));
+
+	result = load_new_zones(server, ISC_FALSE);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "any newly configured zones are now loaded");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "loading new zones failed: %s",
+			      isc_result_totext(result));
+cleanup:
+	return (result);
 }
 
 /*
@@ -7609,10 +7710,17 @@
 				goto cleanup;
 		}
 	}
+
+	if ((dctx->dumpadb || dctx->dumpbad) &&
+	    dctx->cache == NULL && dctx->view->view->cachedb != NULL)
+		dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
+
 	if (dctx->cache != NULL) {
-		dns_adb_dump(dctx->view->view->adb, dctx->fp);
-		dns_resolver_printbadcache(dctx->view->view->resolver,
-					   dctx->fp);
+		if (dctx->dumpadb)
+			dns_adb_dump(dctx->view->view->adb, dctx->fp);
+		if (dctx->dumpbad)
+			dns_resolver_printbadcache(dctx->view->view->resolver,
+						   dctx->fp);
 		dns_db_detach(&dctx->cache);
 	}
 	if (dctx->dumpzones) {
@@ -7696,6 +7804,8 @@
 
 	dctx->mctx = server->mctx;
 	dctx->dumpcache = ISC_TRUE;
+	dctx->dumpadb = ISC_TRUE;
+	dctx->dumpbad = ISC_TRUE;
 	dctx->dumpzones = ISC_FALSE;
 	dctx->fp = NULL;
 	ISC_LIST_INIT(dctx->viewlist);
@@ -7719,17 +7829,31 @@
 
 	ptr = next_token(&args, " \t");
 	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
+		/* also dump zones */
 		dctx->dumpzones = ISC_TRUE;
-		dctx->dumpcache = ISC_TRUE;
 		ptr = next_token(&args, " \t");
 	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
-		dctx->dumpzones = ISC_FALSE;
-		dctx->dumpcache = ISC_TRUE;
+		/* this is the default */
 		ptr = next_token(&args, " \t");
 	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
+		/* only dump zones, suppress caches */
+		dctx->dumpadb = ISC_FALSE;
+		dctx->dumpbad = ISC_FALSE;
+		dctx->dumpcache = ISC_FALSE;
 		dctx->dumpzones = ISC_TRUE;
+		ptr = next_token(&args, " \t");
+#ifdef ENABLE_FETCHLIMIT
+	} else if (ptr != NULL && strcmp(ptr, "-adb") == 0) {
+		/* only dump adb, suppress other caches */
+		dctx->dumpbad = ISC_FALSE;
 		dctx->dumpcache = ISC_FALSE;
 		ptr = next_token(&args, " \t");
+	} else if (ptr != NULL && strcmp(ptr, "-bad") == 0) {
+		/* only dump badcache, suppress other caches */
+		dctx->dumpadb = ISC_FALSE;
+		dctx->dumpcache = ISC_FALSE;
+		ptr = next_token(&args, " \t");
+#endif /* ENABLE_FETCHLIMIT */
 	}
 
  nextview:
@@ -7823,11 +7947,27 @@
 ns_server_dumprecursing(ns_server_t *server) {
 	FILE *fp = NULL;
 	isc_result_t result;
+#ifdef ENABLE_FETCHLIMIT
+	dns_view_t *view;
+#endif /* ENABLE_FETCHLIMIT */
 
 	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
 		"could not open dump file", server->recfile);
-	fprintf(fp,";\n; Recursing Queries\n;\n");
+	fprintf(fp, ";\n; Recursing Queries\n;\n");
 	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
+
+#ifdef ENABLE_FETCHLIMIT
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		fprintf(fp, ";\n; Active fetch domains [view: %s]\n;\n",
+			view->name);
+		dns_resolver_dumpfetches(view->resolver,
+					 isc_statsformat_file, fp);
+	}
+#endif /* ENABLE_FETCHLIMIT */
+
 	fprintf(fp, "; Dump complete\n");
 
  cleanup:
@@ -8205,7 +8345,7 @@
 
 	n = snprintf((char *)isc_buffer_used(text),
 		     isc_buffer_availablelength(text),
-		     "version: %s%s%s%s <id:%s>\n"
+		     "version: %s %s%s%s <id:%s>%s%s%s\n"
 		     "boot time: %s\n"
 		     "last configured: %s\n"
 #ifdef ISC_PLATFORM_USETHREADS
@@ -8222,7 +8362,9 @@
 		     "recursive clients: %d/%d/%d\n"
 		     "tcp clients: %d/%d\n"
 		     "server is up and running",
-		     ns_g_version, ob, alt, cb, ns_g_srcid,
+		     ns_g_product, ns_g_version,
+		     (*ns_g_description != '\0') ? " " : "",
+		     ns_g_description, ns_g_srcid, ob, alt, cb,
 		     boottime, configtime,
 #ifdef ISC_PLATFORM_USETHREADS
 		     ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp,
@@ -9597,15 +9739,15 @@
 
 	/* Serial number */
 	serial = dns_zone_getserial(hasraw ? raw : zone);
-	snprintf(serbuf, sizeof(serbuf), "%d", serial);
+	snprintf(serbuf, sizeof(serbuf), "%u", serial);
 	if (hasraw) {
 		signed_serial = dns_zone_getserial(zone);
-		snprintf(sserbuf, sizeof(sserbuf), "%d", signed_serial);
+		snprintf(sserbuf, sizeof(sserbuf), "%u", signed_serial);
 	}
 
 	/* Database node count */
 	nodes = dns_db_nodecount(hasraw ? rawdb : db);
-	snprintf(nodebuf, sizeof(nodebuf), "%d", nodes);
+	snprintf(nodebuf, sizeof(nodebuf), "%u", nodes);
 
 	/* Security */
 	secure = dns_db_issecure(db);
--- a/external/bsd/bind/dist/bin/named/statschannel.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/statschannel.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: statschannel.c,v 1.10 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: statschannel.c,v 1.11 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2008-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,14 +16,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: statschannel.c,v 1.28.224.1 2011/12/22 07:48:27 marka Exp  */
-
 /*! \file */
 
 #include <config.h>
 
 #include <isc/buffer.h>
 #include <isc/httpd.h>
+#include <isc/json.h>
 #include <isc/mem.h>
 #include <isc/once.h>
 #include <isc/print.h>
@@ -46,10 +45,6 @@
 #include <named/server.h>
 #include <named/statschannel.h>
 
-#ifdef HAVE_JSON_H
-#include <json/json.h>
-#endif
-
 #include "bind9.xsl.h"
 
 struct ns_statschannel {
@@ -229,9 +224,8 @@
 	SET_NSSTATDESC(udp, "UDP queries received", "QryUDP");
 	SET_NSSTATDESC(tcp, "TCP queries received", "QryTCP");
 	SET_NSSTATDESC(nsidopt, "NSID option received", "NSIDOpt");
-	SET_NSSTATDESC(expireopt, "Expire option recieved", "ExpireOpt");
-	SET_NSSTATDESC(otheropt, "Other EDNS option recieved", "OtherOpt");
-#ifdef ISC_PLATFORM_USESIT
+	SET_NSSTATDESC(expireopt, "Expire option received", "ExpireOpt");
+	SET_NSSTATDESC(otheropt, "Other EDNS option received", "OtherOpt");
 	SET_NSSTATDESC(sitopt, "source identity token option received",
 		       "SitOpt");
 	SET_NSSTATDESC(sitnew, "new source identity token requested",
@@ -243,7 +237,6 @@
 	SET_NSSTATDESC(sitnomatch, "source identity token - no match",
 		       "SitNoMatch");
 	SET_NSSTATDESC(sitmatch, "source identity token - match", "SitMatch");
-#endif
 	INSIST(i == dns_nsstatscounter_max);
 
 	/* Initialize resolver statistics */
@@ -319,15 +312,16 @@
 	SET_RESSTATDESC(nfetch, "active fetches", "NumFetch");
 	SET_RESSTATDESC(buckets, "bucket size", "BucketSize");
 	SET_RESSTATDESC(refused, "REFUSED received", "REFUSED");
-#ifdef ISC_PLATFORM_USESIT
 	SET_RESSTATDESC(sitcc, "SIT sent client cookie only",
 			"SitClientOut");
 	SET_RESSTATDESC(sitout, "SIT sent with client and server cookie",
 			"SitOut");
 	SET_RESSTATDESC(sitin, "SIT replies received", "SitIn");
 	SET_RESSTATDESC(sitok, "SIT client cookie ok", "SitClientOk");
-#endif
 	SET_RESSTATDESC(badvers, "bad EDNS version", "BadEDNSVersion");
+	SET_RESSTATDESC(zonequota, "spilled due to zone quota", "ZoneQuota");
+	SET_RESSTATDESC(serverquota, "spilled due to server quota",
+			"ServerQuota");
 
 	INSIST(i == dns_resstatscounter_max);
 
@@ -577,7 +571,7 @@
 	      const char *category, const char **desc, int ncounters,
 	      int *indices, isc_uint64_t *values, int options)
 {
-	int i, index;
+	int i, idx;
 	isc_uint64_t value;
 	stats_dumparg_t dumparg;
 	FILE *fp;
@@ -614,8 +608,8 @@
 #endif
 
 	for (i = 0; i < ncounters; i++) {
-		index = indices[i];
-		value = values[index];
+		idx = indices[i];
+		value = values[idx];
 
 		if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0)
 			continue;
@@ -624,7 +618,7 @@
 		case isc_statsformat_file:
 			fp = arg;
 			fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n",
-				value, desc[index]);
+				value, desc[idx]);
 			break;
 		case isc_statsformat_xml:
 #ifdef HAVE_LIBXML2
@@ -642,7 +636,7 @@
 							       "name"));
 				TRY0(xmlTextWriterWriteString(writer,
 							      ISC_XMLCHAR
-							      desc[index]));
+							      desc[idx]));
 				TRY0(xmlTextWriterEndElement(writer));
 				/* </name> */
 
@@ -666,7 +660,7 @@
 								 ISC_XMLCHAR
 								 "name",
 								 ISC_XMLCHAR
-								 desc[index]));
+								 desc[idx]));
 				TRY0(xmlTextWriterWriteFormatString(writer,
 					"%" ISC_PRINT_QUADFORMAT "u", value));
 				TRY0(xmlTextWriterEndElement(writer));
@@ -680,7 +674,7 @@
 			counter = json_object_new_int64(value);
 			if (counter == NULL)
 				return (ISC_R_NOMEMORY);
-			json_object_object_add(cat, desc[index], counter);
+			json_object_object_add(cat, desc[idx], counter);
 #endif
 			break;
 		}
@@ -914,7 +908,6 @@
 zone_xmlrender(dns_zone_t *zone, void *arg) {
 	isc_result_t result;
 	char buf[1024 + 32];	/* sufficiently large for zone name and class */
-	char *zone_name_only = NULL;
 	dns_rdataclass_t rdclass;
 	isc_uint32_t serial;
 	xmlTextWriterPtr writer = arg;
@@ -933,13 +926,11 @@
 	dumparg.arg = writer;
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
-	dns_zone_name(zone, buf, sizeof(buf));
-	zone_name_only = strtok(buf, "/");
-	if(zone_name_only == NULL)
-		zone_name_only = buf;
 
+	dns_zone_nameonly(zone, buf, sizeof(buf));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
-					 ISC_XMLCHAR zone_name_only));
+					 ISC_XMLCHAR buf));
+
 	rdclass = dns_zone_getclass(zone);
 	dns_rdataclass_format(rdclass, buf, sizeof(buf));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
@@ -1027,7 +1018,7 @@
 			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "3.5"));
+					 ISC_XMLCHAR "3.6"));
 
 	/* Set common fields for statistics dump */
 	dumparg.type = isc_statsformat_xml;
@@ -1438,7 +1429,9 @@
 }
 
 static json_object *
-addzone(char *name, char *class, isc_uint32_t serial) {
+addzone(char *name, char *class, isc_uint32_t serial,
+	isc_boolean_t add_serial)
+{
 	json_object *node = json_object_new_object();
 
 	if (node == NULL)
@@ -1446,7 +1439,9 @@
 
 	json_object_object_add(node, "name", json_object_new_string(name));
 	json_object_object_add(node, "class", json_object_new_string(class));
-	json_object_object_add(node, "serial", json_object_new_int64(serial));
+	if (add_serial)
+		json_object_object_add(node, "serial",
+				       json_object_new_int64(serial));
 	return (node);
 }
 
@@ -1470,19 +1465,18 @@
 	if (statlevel == dns_zonestat_none)
 		return (ISC_R_SUCCESS);
 
-	dns_zone_name(zone, buf, sizeof(buf));
-	zone_name_only = strtok(buf, "/");
-	if(zone_name_only == NULL)
-		zone_name_only = buf;
+	dns_zone_nameonly(zone, buf, sizeof(buf));
+	zone_name_only = buf;
 
 	rdclass = dns_zone_getclass(zone);
 	dns_rdataclass_format(rdclass, class, sizeof(class));
 	class_only = class;
 
 	if (dns_zone_getserial2(zone, &serial) != ISC_R_SUCCESS)
-		serial = -1;
+		zoneobj = addzone(zone_name_only, class_only, 0, ISC_FALSE);
+	else
+		zoneobj = addzone(zone_name_only, class_only, serial, ISC_TRUE);
 
-	zoneobj = addzone(zone_name_only, class_only, serial);
 	if (zoneobj == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1570,7 +1564,7 @@
 	/*
 	 * These statistics are included no matter which URL we use.
 	 */
-	obj = json_object_new_string("1.0");
+	obj = json_object_new_string("1.2");
 	CHECKMEM(obj);
 	json_object_object_add(bindstats, "json-stats-version", obj);
 
@@ -2366,7 +2360,20 @@
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 			      "statistics-channels specified but not effective "
 			      "due to missing XML and/or JSON library");
-#endif
+#else /* EXTENDED_STATS */
+#ifndef HAVE_LIBXML2
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels: XML library missing, "
+			      "only JSON stats will be available");
+#endif /* !HAVE_LIBXML2 */
+#ifndef HAVE_JSON
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels: JSON library missing, "
+			      "only XML stats will be available");
+#endif /* !HAVE_JSON */
+#endif /* EXTENDED_STATS */
 
 		for (element = cfg_list_first(statschannellist);
 		     element != NULL;
--- a/external/bsd/bind/dist/bin/named/update.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/update.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: update.c,v 1.11 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: update.c,v 1.12 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -3054,6 +3054,19 @@
 			goto failure;
 		}
 	}
+	if (! ISC_LIST_EMPTY(diff.tuples)) {
+		result = dns_zone_cdscheck(zone, db, ver);
+		if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: bad %s RRset",
+				   result == DNS_R_BADCDS ? "CDS" : "CDNSKEY");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+	}
 
 	/*
 	 * If any changes were made, increment the SOA serial number,
--- a/external/bsd/bind/dist/bin/named/win32/ntservice.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/win32/ntservice.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: ntservice.c,v 1.6 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: ntservice.c,v 1.7 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2006, 2007, 2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007, 2009, 2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -25,6 +25,7 @@
 #include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/log.h>
+#include <isc/print.h>
 
 #include <named/globals.h>
 #include <named/ntservice.h>
@@ -142,9 +143,7 @@
 
 	/* Command line users should put -f in the options. */
 	isc_commandline_errprint = ISC_FALSE;
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:D:E:fFgi:lm:n:N:p:P:"
-					   "sS:t:T:U:u:vVx:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, NS_MAIN_ARGS)) != -1) {
 		switch (ch) {
 		case 'f':
 		case 'g':
--- a/external/bsd/bind/dist/bin/named/win32/os.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/win32/os.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: os.c,v 1.8 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: os.c,v 1.9 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004, 2005, 2007-2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: os.c,v 1.39 2012/02/06 23:46:44 tbox Exp  */
-
 #include <config.h>
 #include <stdarg.h>
 
--- a/external/bsd/bind/dist/bin/named/xfrout.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/xfrout.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: xfrout.c,v 1.9 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: xfrout.c,v 1.10 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -139,6 +139,7 @@
 	dns_rdataset_t rds;
 	dns_rdata_t rd = DNS_RDATA_INIT;
 
+	dns_rdatalist_init(&rdl);
 	rdl.type = rdata->type;
 	rdl.rdclass = rdata->rdclass;
 	rdl.ttl = ttl;
@@ -147,8 +148,6 @@
 		rdl.covers = dns_rdata_covers(rdata);
 	else
 		rdl.covers = dns_rdatatype_none;
-	ISC_LIST_INIT(rdl.rdata);
-	ISC_LINK_INIT(&rdl, link);
 	dns_rdataset_init(&rds);
 	dns_rdata_init(&rd);
 	dns_rdata_clone(rdata, &rd);
@@ -1466,8 +1465,6 @@
 			msgrdl->covers = dns_rdata_covers(rdata);
 		else
 			msgrdl->covers = dns_rdatatype_none;
-		ISC_LINK_INIT(msgrdl, link);
-		ISC_LIST_INIT(msgrdl->rdata);
 		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
 
 		result = dns_message_gettemprdataset(msg, &msgrds);
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.1	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.1	Thu Dec 17 04:00:21 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: nsupdate.1,v 1.6 2014/12/10 04:37:52 christos Exp $
+.\"	$NetBSD: nsupdate.1,v 1.7 2015/12/17 04:00:41 christos Exp $
 .\"
-.\" Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -35,7 +35,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [\fB\-V\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\-L\ \fR\fB\fIlevel\fR\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [\fB\-V\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -49,53 +49,148 @@
 \fBnsupdate\fR
 have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
 .PP
-The
-\fB\-d\fR
-option makes
-\fBnsupdate\fR
-operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
+Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645.
 .PP
-The
-\fB\-D\fR
-option makes
+TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
-report additional debugging information to
-\fB\-d\fR.
-.PP
-The
-\fB\-L\fR
-option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled.
-.PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. TSIG relies on a shared secret that should only be known to
-\fBnsupdate\fR
-and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
+and the name server. For instance, suitable
 \fBkey\fR
 and
 \fBserver\fR
 statements would be added to
 \fI/etc/named.conf\fR
-so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
+so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. You can use
+\fBddns\-confgen\fR
+to generate suitable configuration fragments.
 \fBnsupdate\fR
-does not read
-\fI/etc/named.conf\fR.
+uses the
+\fB\-y\fR
+or
+\fB\-k\fR
+options to provide the TSIG shared secret. These options are mutually exclusive.
+.PP
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
 .PP
 GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched on with the
 \fB\-g\fR
 flag. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
 \fB\-o\fR
 flag.
+.SH "OPTIONS"
 .PP
-\fBnsupdate\fR
-uses the
-\fB\-y\fR
-or
+\-d
+.RS 4
+Debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
+.RE
+.PP
+\-D
+.RS 4
+Extra debug mode.
+.RE
+.PP
+\-k \fIkeyfile\fR
+.RS 4
+The file containing the TSIG authentication key. Keyfiles may be in two formats: a single file containing a
+\fInamed.conf\fR\-format
+\fBkey\fR
+statement, which may be generated automatically by
+\fBddns\-confgen\fR, or a pair of files whose names are of the format
+\fIK{name}.+157.+{random}.key\fR
+and
+\fIK{name}.+157.+{random}.private\fR, which can be generated by
+\fBdnssec\-keygen\fR. The
+\fB\-k\fR
+may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
+.RE
+.PP
+\-l
+.RS 4
+Local\-host only mode. This sets the server address to localhost (disabling the
+\fBserver\fR
+so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
+\fI/var/run/named/session.key\fR, which is automatically generated by
+\fBnamed\fR
+if any local master zone has set
+\fBupdate\-policy\fR
+to
+\fBlocal\fR. The location of this key file can be overridden with the
 \fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive.
+option.
+.RE
+.PP
+\-L \fIlevel\fR
+.RS 4
+Set the logging debug level. If zero, logging is disabled.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Set the port to use for connections to a name server. The default is 53.
+.RE
+.PP
+\-P
+.RS 4
+Print the list of private BIND\-specific resource record types whose format is understood by
+\fBnsupdate\fR. See also the
+\fB\-T\fR
+option.
+.RE
+.PP
+\-r \fIudpretries\fR
+.RS 4
+The number of UDP retries. The default is 3. If zero, only one update request will be made.
+.RE
+.PP
+\-R \fIrandomdev\fR
+.RS 4
+Where to obtain randomness. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used. This option may be specified multiple times.
+.RE
 .PP
-When the
-\fB\-y\fR
-option is used, a signature is generated from
-[\fIhmac:\fR]\fIkeyname:secret.\fR
+\-t \fItimeout\fR
+.RS 4
+The maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
+.RE
+.PP
+\-T
+.RS 4
+Print the list of IANA standard resource record types whose format is understood by
+\fBnsupdate\fR.
+\fBnsupdate\fR
+will exit after the lists are printed. The
+\fB\-T\fR
+option can be combined with the
+\fB\-P\fR
+option.
+.sp
+Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>).
+.RE
+.PP
+\-u \fIudptimeout\fR
+.RS 4
+The UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
+.RE
+.PP
+\-v
+.RS 4
+Use TCP even for small update requests. By default,
+\fBnsupdate\fR
+uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. TCP may be preferable when a batch of update requests is made.
+.RE
+.PP
+\-V
+.RS 4
+Print the version number and exit.
+.RE
+.PP
+\-y \fI[hmac:]\fR\fIkeyname:secret\fR
+.RS 4
+Literal TSIG authentication key.
 \fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
@@ -110,96 +205,14 @@
 hmac\-sha512. If
 \fIhmac\fR
 is not specified, the default is
-hmac\-md5. NOTE: Use of the
+hmac\-md5.
+.sp
+NOTE: Use of the
 \fB\-y\fR
 option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
 \fBps\fR(1)
 or in a history file maintained by the user's shell.
-.PP
-With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR. Keyfiles may be in two formats: a single file containing a
-\fInamed.conf\fR\-format
-\fBkey\fR
-statement, which may be generated automatically by
-\fBddns\-confgen\fR, or a pair of files whose names are of the format
-\fIK{name}.+157.+{random}.key\fR
-and
-\fIK{name}.+157.+{random}.private\fR, which can be generated by
-\fBdnssec\-keygen\fR. The
-\fB\-k\fR
-may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
-.PP
-\fBnsupdate\fR
-can be run in a local\-host only mode using the
-\fB\-l\fR
-flag. This sets the server address to localhost (disabling the
-\fBserver\fR
-so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
-\fI/var/run/named/session.key\fR, which is automatically generated by
-\fBnamed\fR
-if any local master zone has set
-\fBupdate\-policy\fR
-to
-\fBlocal\fR. The location of this key file can be overridden with the
-\fB\-k\fR
-option.
-.PP
-By default,
-\fBnsupdate\fR
-uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
-\fB\-v\fR
-option makes
-\fBnsupdate\fR
-use a TCP connection. This may be preferable when a batch of update requests is made.
-.PP
-The
-\fB\-p\fR
-sets the default port number to use for connections to a name server. The default is 53.
-.PP
-The
-\fB\-t\fR
-option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
-.PP
-The
-\fB\-u\fR
-option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
-.PP
-The
-\fB\-r\fR
-option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
-.PP
-The
-\fB\-R \fR\fB\fIrandomdev\fR\fR
-option specifies a source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used. This option may be specified multiple times.
-.PP
-Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>).
-.PP
-The
-\fB\-T\fR
-and
-\fB\-P\fR
-options print out lists of non\-meta types for which the type\-specific presentation formats are known.
-\fB\-T\fR
-prints out the list of IANA\-assigned types.
-\fB\-P\fR
-prints out the list of private types specific to
-\fBnamed\fR. These options may be combined.
-\fBnsupdate\fR
-will exit after the lists are printed.
-.PP
-The \-V option causes
-\fBnsupdate\fR
-to print the version number and exit.
+.RE
 .SH "INPUT FORMAT"
 .PP
 \fBnsupdate\fR
@@ -480,7 +493,7 @@
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Thu Dec 17 03:21:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Thu Dec 17 04:00:21 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nsupdate.c,v 1.13 2015/07/08 17:28:55 christos Exp $	*/
+/*	$NetBSD: nsupdate.c,v 1.14 2015/12/17 04:00:41 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -1022,7 +1022,7 @@
 					argv[0], isc_commandline_option);
 			fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
 				"[-g | -o | -y keyname:secret | -k keyfile] "
-				"[-v] [-V] [filename]\n");
+				"[-v] [-V] [-P] [-T] [filename]\n");
 			exit(1);
 
 		case 'P':
@@ -1362,7 +1362,6 @@
 	check_result(result, "dns_message_gettemprdatalist");
 	result = dns_message_gettemprdataset(updatemsg, &rdataset);
 	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
 	rdatalist->type = rdatatype;
 	if (ispositive) {
 		if (isrrset && rdata->data != NULL)
@@ -1371,11 +1370,8 @@
 			rdatalist->rdclass = dns_rdataclass_any;
 	} else
 		rdatalist->rdclass = dns_rdataclass_none;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
 	rdata->rdclass = rdatalist->rdclass;
 	rdata->type = rdatatype;
-	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	dns_rdatalist_tordataset(rdatalist, rdataset);
 	ISC_LIST_INIT(name->list);
@@ -1867,12 +1863,10 @@
 	check_result(result, "dns_message_gettemprdatalist");
 	result = dns_message_gettemprdataset(updatemsg, &rdataset);
 	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
 	rdatalist->type = rdatatype;
 	rdatalist->rdclass = rdataclass;
 	rdatalist->covers = rdatatype;
 	rdatalist->ttl = (dns_ttl_t)ttl;
-	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	dns_rdatalist_tordataset(rdatalist, rdataset);
 	ISC_LIST_INIT(name->list);
@@ -2225,6 +2219,7 @@
 		dns_request_destroy(&request);
 		dns_message_renderreset(updatemsg);
 		dns_message_settsigkey(updatemsg, NULL);
+		/* XXX MPA fix zonename is freed already */
 		send_update(zname, &master_servers[master_inuse]);
 		isc_event_free(&event);
 		return;
@@ -2527,6 +2522,9 @@
 	dns_name_init(&master, NULL);
 	dns_name_clone(&soa.origin, &master);
 
+	/*
+	 * XXXMPA
+	 */
 	if (userzone != NULL)
 		zname = userzone;
 	else
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch	Thu Dec 17 03:21:49 2015 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15908 +0,0 @@
-Index: openssl/Configure
-diff -u openssl/Configure:1.8.6.1.4.1.2.1 openssl/Configure:1.8.2.2
---- openssl/Configure:1.8.6.1.4.1.2.1	Thu Jul  3 12:12:31 2014
-+++ openssl/Configure	Thu Jul  3 12:31:57 2014
-@@ -12,7 +12,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -25,6 +25,12 @@
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
- #
-+# --pk11-libname  PKCS#11 library name.
-+#               (No default)
-+#
-+# --pk11-flavor either crypto-accelerator or sign-only
-+#               (No default)
-+#
- # --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
- #		to live in the subdirectory lib/ and the header files in
- #		include/.  A value is required.
-@@ -336,7 +342,7 @@
- "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -344,7 +350,7 @@
- "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
-@@ -591,6 +597,10 @@
- my $idx_ranlib = $idx++;
- my $idx_arflags = $idx++;
- 
-+# PKCS#11 engine patch
-+my $pk11_libname="";
-+my $pk11_flavor="";
-+
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-@@ -829,6 +839,14 @@
- 				{
- 				$flags.=$_." ";
- 				}
-+			elsif (/^--pk11-libname=(.*)$/)
-+				{
-+				$pk11_libname=$1;
-+				}
-+			elsif (/^--pk11-flavor=(.*)$/)
-+				{
-+				$pk11_flavor=$1;
-+				}
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -964,6 +982,22 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
-+if (! $pk11_flavor
-+    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
-+	{
-+	print STDERR "You must set --pk11-flavor.\n";
-+	print STDERR "Choices are crypto-accelerator and sign-only.\n";
-+	print STDERR "See README.pkcs11 for more information.\n";
-+	exit 1;
-+	}
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -1079,6 +1113,25 @@
- 	print "\n";
- 	}
- 
-+if ($pk11_flavor eq "crypto-accelerator")
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$options .= " no-hw-pkcs11so";
-+	print "    no-hw-pkcs11so  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11SO\n";
-+	}
-+else
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$options .= " no-hw-pkcs11ca";
-+	print "    no-hw-pkcs11ca  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11CA\n";
-+}
-+
- my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
- 
- $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
-@@ -1130,6 +1183,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1493,6 +1548,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.4.6.1.6.1 openssl/Makefile.org:1.4.2.1
---- openssl/Makefile.org:1.4.6.1.6.1	Thu Jul  3 12:12:31 2014
-+++ openssl/Makefile.org	Thu Jul  3 12:31:58 2014
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.6.4.2
---- /dev/null	Fri Jan  2 13:56:40 2015
-+++ openssl/README.pkcs11	Fri Oct  4 14:45:25 2013
-@@ -0,0 +1,266 @@
-+ISC modified
-+============
-+
-+The previous key naming scheme was kept for backward compatibility.
-+
-+The PKCS#11 engine exists in two flavors, crypto-accelerator and
-+sign-only. The first one is from the Solaris patch and uses the
-+PKCS#11 device for all crypto operations it supports. The second
-+is a stripped down version which provides only the useful
-+function (i.e., signature with a RSA private key in the device
-+protected key store and key loading).
-+
-+As a hint PKCS#11 boards should use the crypto-accelerator flavor,
-+external PKCS#11 devices the sign-only. SCA 6000 is an example
-+of the first, AEP Keyper of the second.
-+
-+Note it is mandatory to set a pk11-flavor (and only one) in
-+config/Configure.
-+
-+It is highly recommended to compile in (vs. as a DSO) the engine.
-+The way to configure this is system dependent, on Unixes it is no-shared
-+(and is in general the default), on WIN32 it is enable-static-engine
-+(and still enable to build the OpenSSL libraries as DLLs).
-+
-+PKCS#11 engine support for OpenSSL 0.9.8l
-+=========================================
-+
-+[Nov 19, 2009]
-+
-+Contents:
-+
-+Overview
-+Revisions of the patch for 0.9.8 branch
-+FAQs
-+Feedback
-+
-+Overview
-+========
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
-+must provide PKCS#11 backend otherwise the patch is useless. You provide the
-+PKCS#11 library name during the build configuration phase, see below.
-+
-+Patch can be applied like this:
-+
-+	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8l.tar.gz
-+	# now download the patch to the current directory
-+	# ...
-+	cd openssl-0.9.8l
-+	# NOTE: must use gpatch if on Solaris (is part of the system)
-+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+According to the PKCS#11 providers installed on your machine, it can support
-+following mechanisms:
-+
-+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
-+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
-+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
-+	SHA256, SHA384, SHA512
-+
-+Note that for AES counter mode the application must provide their own EVP
-+functions since OpenSSL doesn't support counter mode through EVP yet. You may
-+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
-+example of code that uses the PKCS#11 engine and deals with the fork-safety
-+problem (see engine.c and packet.c files if interested).
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script. You will be instructed to do that when you try to run the
-+config script:
-+
-+	$ ./config 
-+	Operating system: i86pc-whatever-solaris2
-+	Configuring for solaris-x86-cc
-+	You must set --pk11-libname for PKCS#11 library.
-+	See README.pkcs11 for more information.
-+
-+Taking openCryptoki project on Linux AMD64 box as an example, you would run
-+configure script like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to run
-+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
-+output. If you see no PKCS#11 engine support check that the built openssl binary
-+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
-+
-+The patch, during various phases of development, was tested on Solaris against
-+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
-+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
-+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
-+information). Some Linux distributions even ship those libraries with the
-+system. The patch should work on any system that is supported by OpenSSL itself
-+and has functional PKCS#11 library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of the patch for 0.9.8 branch
-+=======================================
-+
-+2009-11-19
-+- adjusted for OpenSSL version 0.9.8l
-+
-+- bugs and RFEs:
-+
-+	6479874 OpenSSL should support RSA key by reference/hardware keystores
-+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
-+	6732677 make check to trigger Solaris specific code automatic in the
-+		PKCS#11 engine
-+
-+2009-03-11
-+- adjusted for OpenSSL version 0.9.8j 
-+
-+- README.pkcs11 moved out of the patch, and is shipped together with it in a
-+  tarball instead so that it can be read before the patch is applied.
-+
-+- fixed bugs:
-+
-+	6804216 pkcs#11 engine should support a key length range for RC4
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-12-02
-+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
-+
-+	6723504 more granular locking in PKCS#11 engine
-+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
-+	6710420 PKCS#11 engine source should be lint clean
-+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
-+		it seriously
-+	6746712 PKCS#11 engine source code should be cstyle clean
-+	6731380 return codes of several functions are not checked in the PKCS#11
-+		engine code
-+	6746735 PKCS#11 engine should use extended FILE space API
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-08-01
-+- fixed bug
-+
-+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
-+		and digests
-+
-+- Solaris specific code for slot selection made automatic
-+
-+2008-07-29
-+- update the patch to OpenSSL 0.9.8h version
-+- pkcs11t.h updated to the latest version:
-+
-+	6545665 make CKM_AES_CTR available to non-kernel users
-+
-+- fixed bugs in the engine code:
-+
-+	6602801 PK11_SESSION cache has to employ reference counting scheme for
-+		asymmetric key operations
-+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
-+		atomically
-+	6607307 pkcs#11 engine can't read RSA private keys
-+	6652362 pk11_RSA_finish() is cutting corners
-+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
-+		suboptimal way
-+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
-+		resilient to destroy failures
-+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
-+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
-+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
-+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
-+		of big numbers leading to failures
-+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
-+		-1
-+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
-+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
-+		checked
-+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
-+		structure reuse
-+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
-+		OPENSSL_NO_{RSA,DSA,DH}
-+	defines but fails miserably
-+	6709966 make check_new_*() to return values to indicate cache hit/miss
-+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
-+		generate_params parameter
-+	6709513 PKCS#11 engine sets IV length even for ECB modes
-+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
-+		PKCS#11 engine
-+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
-+
-+- new features and enhancements:
-+
-+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
-+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
-+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
-+		ciphers and digests
-+
-+2007-10-15
-+- update for 0.9.8f version
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+FAQs
-+====
-+
-+(1) my build failed on Linux distro with this error:
-+
-+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
-+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
-+
-+Answer:
-+
-+	- don't use "no-threads" when configuring
-+	- if you didn't then OpenSSL failed to create a threaded library by
-+	  default. You may manually edit Configure and try again. Look for the
-+	  architecture that Configure printed, for example:
-+
-+Configured for linux-elf.
-+
-+	- then edit Configure, find string "linux-elf" (inluding the quotes),
-+	  and add flags to support threads to the 4th column of the 2nd string.
-+	  If you build with GCC then adding "-pthread" should be enough. With
-+	  "linux-elf" as an example, you would add " -pthread" right after
-+	  "-D_REENTRANT", like this:
-+
-+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
-+
-+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
-+pthread_atfork() function when trying to build OpenSSL with the patch.
-+
-+Answer:
-+
-+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
-+	(as of Nov 2009). You can not use the patch there.
-+
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
-Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.5.10.1 openssl/crypto/opensslconf.h:1.5
---- openssl/crypto/opensslconf.h:1.5.10.1	Sun Jan 15 15:45:34 2012
-+++ openssl/crypto/opensslconf.h	Fri Sep  4 10:43:21 2009
-@@ -38,6 +38,9 @@
- 
- #endif /* OPENSSL_DOING_MAKEDEPEND */
- 
-+#ifndef OPENSSL_THREADS
-+# define OPENSSL_THREADS
-+#endif
- #ifndef OPENSSL_NO_DYNAMIC_ENGINE
- # define OPENSSL_NO_DYNAMIC_ENGINE
- #endif
-@@ -79,6 +82,8 @@
- # endif
- #endif
- 
-+#define OPENSSL_CPUID_OBJ
-+
- /* crypto/opensslconf.h.in */
- 
- #ifdef OPENSSL_DOING_MAKEDEPEND
-@@ -140,7 +145,7 @@
-  * This enables code handling data aligned at natural CPU word
-  * boundary. See crypto/rc4/rc4_enc.c for further details.
-  */
--#undef RC4_CHUNK
-+#define RC4_CHUNK unsigned long
- #endif
- #endif
- 
-@@ -148,7 +153,7 @@
- /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
-  * %20 speed up (longs are 8 bytes, int's are 4). */
- #ifndef DES_LONG
--#define DES_LONG unsigned long
-+#define DES_LONG unsigned int
- #endif
- #endif
- 
-@@ -162,9 +167,9 @@
- /* The prime number generation stuff may not work when
-  * EIGHT_BIT but I don't care since I've only used this mode
-  * for debuging the bignum libraries */
--#undef SIXTY_FOUR_BIT_LONG
-+#define SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
--#define THIRTY_TWO_BIT
-+#undef THIRTY_TWO_BIT
- #undef SIXTEEN_BIT
- #undef EIGHT_BIT
- #endif
-@@ -178,7 +183,7 @@
- 
- #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
- #define CONFIG_HEADER_BF_LOCL_H
--#undef BF_PTR
-+#define BF_PTR2
- #endif /* HEADER_BF_LOCL_H */
- 
- #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -208,7 +213,7 @@
- /* Unroll the inner loop, this sometimes helps, sometimes hinders.
-  * Very mucy CPU dependant */
- #ifndef DES_UNROLL
--#undef DES_UNROLL
-+#define DES_UNROLL
- #endif
- 
- /* These default values were supplied by
-Index: openssl/crypto/bio/bss_file.c
-diff -u openssl/crypto/bio/bss_file.c:1.5.6.1 openssl/crypto/bio/bss_file.c:1.5
---- openssl/crypto/bio/bss_file.c:1.5.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/bio/bss_file.c	Mon Jun 13 14:25:17 2011
-@@ -125,7 +125,7 @@
- 		{
- 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
- 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
--		if (errno == ENOENT)
-+		if ((errno == ENOENT) || ((*mode == 'r') && (errno == EACCES)))
- 			BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
- 		else
- 			BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
-Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1.6
---- openssl/crypto/engine/Makefile:1.6.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/engine/Makefile	Mon Jun 13 14:25:19 2011
-@@ -21,12 +21,14 @@
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -288,6 +290,102 @@
- eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
- eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
-+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
-+hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
-+hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
- tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
- tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
- tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-Index: openssl/crypto/engine/cryptoki.h
-diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Fri Jan  2 13:56:40 2015
-+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include <unistd.h>	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include <stdlib.h>
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.4.6.1.6.1 openssl/crypto/engine/eng_all.c:1.4.2.1
---- openssl/crypto/engine/eng_all.c:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
-+++ openssl/crypto/engine/eng_all.c	Thu Jul  3 12:31:59 2014
-@@ -110,6 +110,14 @@
- #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
- 	ENGINE_load_cryptodev();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+	ENGINE_load_pk11ca();
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+	ENGINE_load_pk11so();
-+#endif
-+#endif
- #endif
- 	}
- 
-Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.4.6.1.6.1 openssl/crypto/engine/engine.h:1.4.2.1
---- openssl/crypto/engine/engine.h:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
-+++ openssl/crypto/engine/engine.h	Thu Jul  3 12:32:00 2014
-@@ -344,6 +344,12 @@
- void ENGINE_load_cryptodev(void);
- void ENGINE_load_padlock(void);
- void ENGINE_load_builtin_engines(void);
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+void ENGINE_load_pk11ca(void);
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+void ENGINE_load_pk11so(void);
-+#endif
- 
- /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
-  * "registry" handling. */
-Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4
---- /dev/null	Fri Jan  2 13:56:40 2015
-+++ openssl/crypto/engine/hw_pk11.c	Fri Oct  4 14:45:25 2013
-@@ -0,0 +1,4116 @@
-+/*
-+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+/* Debug mutexes */
-+/*#undef DEBUG_MUTEX */
-+#define DEBUG_MUTEX
-+
-+#ifndef NOPTHREADS
-+/* for pthread error check on Linuxes */
-+#ifdef DEBUG_MUTEX
-+#define __USE_UNIX98
-+#endif
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+#ifndef OPENSSL_NO_HW_PK11CA
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+/* #undef	DEBUG_SLOT_SELECTION */
-+/*
-+ * Solaris specific code. See comment at check_hw_mechanisms() for more
-+ * information.
-+ */
-+#if defined(__SVR4) && defined(__sun)
-+#undef	SOLARIS_HW_SLOT_SELECTION
-+#endif
-+
-+/*
-+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
-+ * there are official OIDs for mechanisms based on this mode. With our changes,
-+ * an application can define its own EVP calls for AES counter mode and then
-+ * it can make use of hardware acceleration through this engine. However, it's
-+ * better if we keep AES CTR support code under ifdef's.
-+ */
-+#define	SOLARIS_AES_CTR
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11ca.h"
-+#include "hw_pk11_err.c"
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NIDs for AES counter mode that will be defined during the engine
-+ * initialization.
-+ */
-+static int NID_aes_128_ctr = NID_undef;
-+static int NID_aes_192_ctr = NID_undef;
-+static int NID_aes_256_ctr = NID_undef;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+/*
-+ * We use this lock to prevent multiple C_Login()s, guard getpassphrase(),
-+ * uri_struct manipulation, and static token info. All of that is used by the
-+ * RSA keys by reference feature.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *token_lock;
-+#endif
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
-+ * library. See comment at check_hw_mechanisms() for more information.
-+ */
-+static int *hw_cnids;
-+static int *hw_dnids;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * We cache the flags so that we do not have to run C_GetTokenInfo() again when
-+ * logging into the token.
-+ */
-+CK_FLAGS pubkey_token_flags;
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+#ifndef OPENSSL_NO_RSA
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
-+#endif
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh,
-+	CK_BBOOL persistent);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+#ifdef	SOLARIS_AES_CTR
-+static int pk11_add_NID(char *sn, char *ln);
-+static int pk11_add_aes_ctr_NIDs(void);
-+#endif	/* SOLARIS_AES_CTR */
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+#else
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, size_t inl);
-+#endif
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
-+    int *local_cipher_nids);
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
-+    int *local_digest_nids);
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
-+    int id);
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+static int check_hw_mechanisms(void);
-+static int nid_in_table(int nid, int *nid_table);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* Index for the supported ciphers */
-+enum pk11_cipher_id {
-+	PK11_DES_CBC,
-+	PK11_DES3_CBC,
-+	PK11_DES_ECB,
-+	PK11_DES3_ECB,
-+	PK11_RC4,
-+	PK11_AES_128_CBC,
-+	PK11_AES_192_CBC,
-+	PK11_AES_256_CBC,
-+	PK11_AES_128_ECB,
-+	PK11_AES_192_ECB,
-+	PK11_AES_256_ECB,
-+	PK11_BLOWFISH_CBC,
-+#ifdef	SOLARIS_AES_CTR
-+	PK11_AES_128_CTR,
-+	PK11_AES_192_CTR,
-+	PK11_AES_256_CTR,
-+#endif	/* SOLARIS_AES_CTR */
-+	PK11_CIPHER_MAX
-+};
-+
-+/* Index for the supported digests */
-+enum pk11_digest_id {
-+	PK11_MD5,
-+	PK11_SHA1,
-+	PK11_SHA224,
-+	PK11_SHA256,
-+	PK11_SHA384,
-+	PK11_SHA512,
-+	PK11_DIGEST_MAX
-+};
-+
-+#define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type, priv)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		  retval = pk11_destroy_object(sp->session, obj_hdl,	\
-+		  priv ? sp->priv_persistent : sp->pub_persistent);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_recover = CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st
-+	{
-+	enum pk11_cipher_id	id;
-+	int			nid;
-+	int			iv_len;
-+	int			min_key_len;
-+	int			max_key_len;
-+	CK_KEY_TYPE		key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] =
-+	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
-+		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
-+		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
-+		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
-+		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16, 256,
-+		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
-+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
-+#ifdef	SOLARIS_AES_CTR
-+	/* we don't know the correct NIDs until the engine is initialized */
-+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,  16,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,  24,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
-+		CKK_AES,	CKM_AES_CTR, },
-+#endif	/* SOLARIS_AES_CTR */
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	enum pk11_digest_id	id;
-+	int			nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] =
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
-+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
-+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
-+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/*
-+ * Structure to be used for the cipher_data/md_data in
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
-+ * session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/*
-+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
-+ * called when libcrypto requests a cipher NID.
-+ *
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc =
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc =
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
-+ * get_asn1_parameters fields are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_des_ecb =
-+	{
-+	NID_des_ecb,
-+	8, 8, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_3des_ecb =
-+	{
-+	NID_des_ede3_ecb,
-+	8, 24, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+
-+static const EVP_CIPHER pk11_aes_128_cbc =
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_cbc =
-+	{
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_cbc =
-+	{
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use IV so that's why set_asn1_parameters and
-+ * get_asn1_parameters are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_aes_128_ecb =
-+	{
-+	NID_aes_128_ecb,
-+	16, 16, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ecb =
-+	{
-+	NID_aes_192_ecb,
-+	16, 24, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ecb =
-+	{
-+	NID_aes_256_ecb,
-+	16, 32, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
-+ * created in pk11_library_init(). Note that the need to change these structures
-+ * is the reason why we don't define them with the const keyword.
-+ */
-+static EVP_CIPHER pk11_aes_128_ctr =
-+	{
-+	NID_undef,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_192_ctr =
-+	{
-+	NID_undef,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_256_ctr =
-+	{
-+	NID_undef,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+#endif	/* SOLARIS_AES_CTR */
-+
-+static const EVP_CIPHER pk11_bf_cbc =
-+	{
-+	NID_bf_cbc,
-+	8, 16, 8,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1, 16, 0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha224 =
-+	{
-+	NID_sha224,
-+	NID_sha224WithRSAEncryption,
-+	SHA224_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-224 uses the same cblock size as SHA-256 */
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha256 =
-+	{
-+	NID_sha256,
-+	NID_sha256WithRSAEncryption,
-+	SHA256_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha384 =
-+	{
-+	NID_sha384,
-+	NID_sha384WithRSAEncryption,
-+	SHA384_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-384 uses the same cblock size as SHA-512 */
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha512 =
-+	{
-+	NID_sha512,
-+	NID_sha512WithRSAEncryption,
-+	SHA512_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+#ifdef OPENSSL_NO_HW_PK11SO
-+#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
-+#endif
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name =
-+	"PKCS #11 engine support (crypto accelerator)";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * This is a static string constant for the DSO file name and the function
-+ * symbol names to bind to. We set it in the Configure script based on whether
-+ * this is 32 or 64 bit build.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL mytrue = TRUE;
-+static CK_BBOOL myfalse = FALSE;
-+/* Needed in hw_pk11_pub.c as well so that's why it is not static. */
-+CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+	pthread_mutexattr_t attr;
-+
-+	if (pthread_mutexattr_init(&attr) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 100);
-+		return (0);
-+	}
-+
-+#ifdef DEBUG_MUTEX
-+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 101);
-+		return (0);
-+	}
-+#endif
-+
-+	if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(token_lock, &attr);
-+
-+#ifndef OPENSSL_NO_RSA
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], &attr);
-+#endif /* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DSA], &attr);
-+#endif /* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DH] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DH], &attr);
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, &attr);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if (token_lock != NULL)
-+		{
-+		(void) pthread_mutex_destroy(token_lock);
-+		OPENSSL_free(token_lock);
-+		token_lock = NULL;
-+		}
-+
-+#ifndef OPENSSL_NO_RSA
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (find_lock[OP_DSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
-+		OPENSSL_free(find_lock[OP_DSA]);
-+		find_lock[OP_DSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (find_lock[OP_DH] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DH]);
-+		OPENSSL_free(find_lock[OP_DH]);
-+		find_lock[OP_DH] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+#ifndef OPENSSL_NO_RSA
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+#endif	/* OPENSSL_NO_RSA */
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name) ||
-+	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	    !ENGINE_set_digests(e, pk11_engine_digests))
-+		return (0);
-+#ifndef OPENSSL_NO_RSA
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (pk11_have_dsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (pk11_have_dh == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DH(e, PK11_DH()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DH */
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+/*
-+ * Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation.
-+ * Since it is used only once, performance is not a concern.
-+ */
-+#ifndef OPENSSL_NO_RSA
-+	rsa = RSA_PKCS1_SSLeay();
-+	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+	if (pk11_have_recover != CK_TRUE)
-+		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
-+#endif	/* OPENSSL_NO_RSA */
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+#error  "dynamic engine not supported"
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	LOCK_OBJSTORE(OP_DSA);
-+	LOCK_OBJSTORE(OP_DH);
-+	OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+static CK_C_INITIALIZE_ARGS pk11_init_args =
-+	{
-+	NULL_PTR,		/* CreateMutex */
-+	NULL_PTR,		/* DestroyMutex */
-+	NULL_PTR,		/* LockMutex */
-+	NULL_PTR,		/* UnlockMutex */
-+	CKF_OS_LOCKING_OK,	/* flags */
-+	NULL_PTR,		/* pReserved */
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which
-+	 * is called from ENGINE_finish(). However, if there is still
-+	 * at least one existing functional reference to the engine
-+	 * (see engine(3) for more information), pk11_finish() is
-+	 * skipped. For example, this can happen if an application
-+	 * forgets to clear one cipher context. In case of a fork()
-+	 * when the application is finishing the engine so that it can
-+	 * be reinitialized in the child, forgotten functional
-+	 * reference causes pk11_library_initialized to stay 1. In
-+	 * that case we need the PID check so that we properly
-+	 * initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+#ifdef	SOLARIS_AES_CTR
-+	/*
-+	 * We must do this before we start working with slots since we need all
-+	 * NIDs there.
-+	 */
-+	if (pk11_add_aes_ctr_NIDs() == 0)
-+		goto err;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	if (check_hw_mechanisms() == 0)
-+		goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	/*
-+	 * Disable digest if C_GetOperationState is not supported since
-+	 * this function is required by OpenSSL digest copy function
-+	 */
-+	/* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
-+	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
-+			!= CKR_OK) {
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: C_GetOperationState() not supported, "
-+		    "setting digest_count to 0\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		digest_count = 0;
-+	}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}