merge conflicts for bind-9.9.3-P2 trunk
authorchristos <christos@NetBSD.org>
Sat, 27 Jul 2013 19:23:09 +0000
branchtrunk
changeset 219995 71162f9b3052
parent 219994 20da60721356
child 219996 89101c374f7e
merge conflicts for bind-9.9.3-P2
external/bsd/bind/Makefile.inc
external/bsd/bind/bin/named/Makefile
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/REDIRECT-NOTES
external/bsd/bind/dist/bin/check/check-tool.c
external/bsd/bind/dist/bin/check/named-checkconf.c
external/bsd/bind/dist/bin/check/named-checkzone.8
external/bsd/bind/dist/bin/check/named-checkzone.c
external/bsd/bind/dist/bin/confgen/keygen.c
external/bsd/bind/dist/bin/confgen/rndc-confgen.c
external/bsd/bind/dist/bin/dig/dig.1
external/bsd/bind/dist/bin/dig/dig.c
external/bsd/bind/dist/bin/dig/dighost.c
external/bsd/bind/dist/bin/dig/host.c
external/bsd/bind/dist/bin/dig/include/dig/dig.h
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
external/bsd/bind/dist/bin/dnssec/dnssectool.c
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/config.c
external/bsd/bind/dist/bin/named/control.c
external/bsd/bind/dist/bin/named/controlconf.c
external/bsd/bind/dist/bin/named/include/named/client.h
external/bsd/bind/dist/bin/named/include/named/globals.h
external/bsd/bind/dist/bin/named/include/named/server.h
external/bsd/bind/dist/bin/named/interfacemgr.c
external/bsd/bind/dist/bin/named/log.c
external/bsd/bind/dist/bin/named/logconf.c
external/bsd/bind/dist/bin/named/lwresd.c
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/named.8
external/bsd/bind/dist/bin/named/named.conf.5
external/bsd/bind/dist/bin/named/named.conf.docbook
external/bsd/bind/dist/bin/named/named.conf.html
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/statschannel.c
external/bsd/bind/dist/bin/named/tkeyconf.c
external/bsd/bind/dist/bin/named/tsigconf.c
external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c
external/bsd/bind/dist/bin/named/update.c
external/bsd/bind/dist/bin/named/xfrout.c
external/bsd/bind/dist/bin/named/zoneconf.c
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0f-patch
external/bsd/bind/dist/bin/python/dnssec-checkds.8
external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
external/bsd/bind/dist/bin/rndc/rndc.c
external/bsd/bind/dist/bin/tests/adb_test.c
external/bsd/bind/dist/bin/tests/byaddr_test.c
external/bsd/bind/dist/bin/tests/byname_test.c
external/bsd/bind/dist/bin/tests/db/t_db.c
external/bsd/bind/dist/bin/tests/db_test.c
external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key
external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private
external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key
external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private
external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key
external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key
external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private
external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key
external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private
external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key
external/bsd/bind/dist/bin/tests/dst/dst_2_data
external/bsd/bind/dist/bin/tests/dst/dst_test.c
external/bsd/bind/dist/bin/tests/dst/t2_data_1
external/bsd/bind/dist/bin/tests/dst/t2_data_2
external/bsd/bind/dist/bin/tests/dst/t2_dsasig
external/bsd/bind/dist/bin/tests/dst/t2_rsasig
external/bsd/bind/dist/bin/tests/dst/t_dst.c
external/bsd/bind/dist/bin/tests/fsaccess_test.c
external/bsd/bind/dist/bin/tests/names/t_names.c
external/bsd/bind/dist/bin/tests/rbt/t_rbt.c
external/bsd/bind/dist/bin/tests/rdata_test.c
external/bsd/bind/dist/bin/tests/resolver/t_resolver.c
external/bsd/bind/dist/bin/tests/shutdown_test.c
external/bsd/bind/dist/bin/tests/sig0_test.c
external/bsd/bind/dist/bin/tests/sock_test.c
external/bsd/bind/dist/bin/tests/system/checkconf/bad.conf
external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf
external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c
external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db
external/bsd/bind/dist/bin/tests/system/rpz/rpz.c
external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c
external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c
external/bsd/bind/dist/bin/tests/task_test.c
external/bsd/bind/dist/bin/tests/timer_test.c
external/bsd/bind/dist/bin/tests/zone_test.c
external/bsd/bind/dist/bin/tools/genrandom.c
external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/contrib/dbus/GetForwarders
external/bsd/bind/dist/contrib/dbus/INSTALL
external/bsd/bind/dist/contrib/dbus/Makefile.9.3.2b1
external/bsd/bind/dist/contrib/dbus/Makefile.9.3.3rc2
external/bsd/bind/dist/contrib/dbus/README.DBUS
external/bsd/bind/dist/contrib/dbus/SetForwarders
external/bsd/bind/dist/contrib/dbus/bind-9.3.2b1-dbus.patch
external/bsd/bind/dist/contrib/dbus/bind-9.3.3rc2-dbus.patch
external/bsd/bind/dist/contrib/dbus/dbus_mgr.c
external/bsd/bind/dist/contrib/dbus/dbus_mgr.h
external/bsd/bind/dist/contrib/dbus/dbus_service.c
external/bsd/bind/dist/contrib/dbus/dbus_service.h
external/bsd/bind/dist/contrib/dbus/named-dbus-system.conf
external/bsd/bind/dist/contrib/dbus/named-dbus.service
external/bsd/bind/dist/contrib/dlz/drivers/dlz_filesystem_driver.c
external/bsd/bind/dist/contrib/dlz/drivers/dlz_ldap_driver.c
external/bsd/bind/dist/contrib/dlz/drivers/dlz_mysql_driver.c
external/bsd/bind/dist/contrib/dlz/drivers/sdlz_helper.c
external/bsd/bind/dist/contrib/dlz/example/dlz_example.c
external/bsd/bind/dist/contrib/dlz/example/dlz_minimal.h
external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c
external/bsd/bind/dist/contrib/queryperf/queryperf.c
external/bsd/bind/dist/contrib/sdb/sqlite/zone2sqlite.c
external/bsd/bind/dist/contrib/zkt/dki.c
external/bsd/bind/dist/contrib/zkt/doc/rfc5011.txt
external/bsd/bind/dist/contrib/zkt/zkt-soaserial.c
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/misc/options
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/dns/acache.c
external/bsd/bind/dist/lib/dns/acl.c
external/bsd/bind/dist/lib/dns/adb.c
external/bsd/bind/dist/lib/dns/byaddr.c
external/bsd/bind/dist/lib/dns/cache.c
external/bsd/bind/dist/lib/dns/client.c
external/bsd/bind/dist/lib/dns/db.c
external/bsd/bind/dist/lib/dns/dbtable.c
external/bsd/bind/dist/lib/dns/diff.c
external/bsd/bind/dist/lib/dns/dispatch.c
external/bsd/bind/dist/lib/dns/dlz.c
external/bsd/bind/dist/lib/dns/dnssec.c
external/bsd/bind/dist/lib/dns/dst_api.c
external/bsd/bind/dist/lib/dns/dst_internal.h
external/bsd/bind/dist/lib/dns/dst_openssl.h
external/bsd/bind/dist/lib/dns/ecdb.c
external/bsd/bind/dist/lib/dns/gen.c
external/bsd/bind/dist/lib/dns/gssapictx.c
external/bsd/bind/dist/lib/dns/include/dns/acache.h
external/bsd/bind/dist/lib/dns/include/dns/adb.h
external/bsd/bind/dist/lib/dns/include/dns/cache.h
external/bsd/bind/dist/lib/dns/include/dns/db.h
external/bsd/bind/dist/lib/dns/include/dns/dispatch.h
external/bsd/bind/dist/lib/dns/include/dns/message.h
external/bsd/bind/dist/lib/dns/include/dns/name.h
external/bsd/bind/dist/lib/dns/include/dns/ncache.h
external/bsd/bind/dist/lib/dns/include/dns/nsec.h
external/bsd/bind/dist/lib/dns/include/dns/nsec3.h
external/bsd/bind/dist/lib/dns/include/dns/rdata.h
external/bsd/bind/dist/lib/dns/include/dns/resolver.h
external/bsd/bind/dist/lib/dns/include/dns/result.h
external/bsd/bind/dist/lib/dns/include/dns/rpz.h
external/bsd/bind/dist/lib/dns/include/dns/types.h
external/bsd/bind/dist/lib/dns/include/dns/validator.h
external/bsd/bind/dist/lib/dns/include/dns/view.h
external/bsd/bind/dist/lib/dns/include/dns/zone.h
external/bsd/bind/dist/lib/dns/include/dst/dst.h
external/bsd/bind/dist/lib/dns/iptable.c
external/bsd/bind/dist/lib/dns/journal.c
external/bsd/bind/dist/lib/dns/keytable.c
external/bsd/bind/dist/lib/dns/lookup.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/name.c
external/bsd/bind/dist/lib/dns/ncache.c
external/bsd/bind/dist/lib/dns/nsec.c
external/bsd/bind/dist/lib/dns/nsec3.c
external/bsd/bind/dist/lib/dns/openssl_link.c
external/bsd/bind/dist/lib/dns/openssldsa_link.c
external/bsd/bind/dist/lib/dns/opensslecdsa_link.c
external/bsd/bind/dist/lib/dns/opensslgost_link.c
external/bsd/bind/dist/lib/dns/opensslrsa_link.c
external/bsd/bind/dist/lib/dns/peer.c
external/bsd/bind/dist/lib/dns/private.c
external/bsd/bind/dist/lib/dns/rbt.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rdata.c
external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c
external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c
external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c
external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c
external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c
external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c
external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c
external/bsd/bind/dist/lib/dns/request.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/result.c
external/bsd/bind/dist/lib/dns/rootns.c
external/bsd/bind/dist/lib/dns/rpz.c
external/bsd/bind/dist/lib/dns/sdb.c
external/bsd/bind/dist/lib/dns/sdlz.c
external/bsd/bind/dist/lib/dns/spnego.c
external/bsd/bind/dist/lib/dns/spnego_asn1.c
external/bsd/bind/dist/lib/dns/ssu.c
external/bsd/bind/dist/lib/dns/ssu_external.c
external/bsd/bind/dist/lib/dns/tests/Makefile.in
external/bsd/bind/dist/lib/dns/tests/master_test.c
external/bsd/bind/dist/lib/dns/tkey.c
external/bsd/bind/dist/lib/dns/tsig.c
external/bsd/bind/dist/lib/dns/validator.c
external/bsd/bind/dist/lib/dns/view.c
external/bsd/bind/dist/lib/dns/xfrin.c
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/export/samples/nsprobe.c
external/bsd/bind/dist/lib/export/samples/sample-async.c
external/bsd/bind/dist/lib/export/samples/sample-gai.c
external/bsd/bind/dist/lib/export/samples/sample-request.c
external/bsd/bind/dist/lib/export/samples/sample-update.c
external/bsd/bind/dist/lib/export/samples/sample.c
external/bsd/bind/dist/lib/irs/dnsconf.c
external/bsd/bind/dist/lib/irs/getaddrinfo.c
external/bsd/bind/dist/lib/irs/getnameinfo.c
external/bsd/bind/dist/lib/irs/resconf.c
external/bsd/bind/dist/lib/isc/buffer.c
external/bsd/bind/dist/lib/isc/include/isc/buffer.h
external/bsd/bind/dist/lib/isc/include/isc/file.h
external/bsd/bind/dist/lib/isc/include/isc/list.h
external/bsd/bind/dist/lib/isc/include/isc/mem.h
external/bsd/bind/dist/lib/isc/include/isc/namespace.h
external/bsd/bind/dist/lib/isc/include/isc/queue.h
external/bsd/bind/dist/lib/isc/include/isc/radix.h
external/bsd/bind/dist/lib/isc/include/isc/region.h
external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h
external/bsd/bind/dist/lib/isc/include/isc/socket.h
external/bsd/bind/dist/lib/isc/include/isc/task.h
external/bsd/bind/dist/lib/isc/include/isc/timer.h
external/bsd/bind/dist/lib/isc/inet_aton.c
external/bsd/bind/dist/lib/isc/log.c
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/parseint.c
external/bsd/bind/dist/lib/isc/pthreads/thread.c
external/bsd/bind/dist/lib/isc/radix.c
external/bsd/bind/dist/lib/isc/ratelimiter.c
external/bsd/bind/dist/lib/isc/sockaddr.c
external/bsd/bind/dist/lib/isc/socket_api.c
external/bsd/bind/dist/lib/isc/sparc64/include/isc/atomic.h
external/bsd/bind/dist/lib/isc/symtab.c
external/bsd/bind/dist/lib/isc/task.c
external/bsd/bind/dist/lib/isc/taskpool.c
external/bsd/bind/dist/lib/isc/tests/isctest.h
external/bsd/bind/dist/lib/isc/timer.c
external/bsd/bind/dist/lib/isc/timer_api.c
external/bsd/bind/dist/lib/isc/unix/entropy.c
external/bsd/bind/dist/lib/isc/unix/file.c
external/bsd/bind/dist/lib/isc/unix/include/isc/time.h
external/bsd/bind/dist/lib/isc/unix/net.c
external/bsd/bind/dist/lib/isc/unix/socket.c
external/bsd/bind/dist/lib/isc/unix/time.c
external/bsd/bind/dist/lib/isc/win32/dir.c
external/bsd/bind/dist/lib/isc/win32/entropy.c
external/bsd/bind/dist/lib/isc/win32/file.c
external/bsd/bind/dist/lib/isc/win32/fsaccess.c
external/bsd/bind/dist/lib/isc/win32/include/isc/time.h
external/bsd/bind/dist/lib/isc/win32/net.c
external/bsd/bind/dist/lib/isc/win32/ntgroups.c
external/bsd/bind/dist/lib/isc/win32/os.c
external/bsd/bind/dist/lib/isc/win32/socket.c
external/bsd/bind/dist/lib/isc/win32/time.c
external/bsd/bind/dist/lib/isc/win32/win32os.c
external/bsd/bind/dist/lib/isccc/cc.c
external/bsd/bind/dist/lib/isccfg/aclconf.c
external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h
external/bsd/bind/dist/lib/isccfg/namedconf.c
external/bsd/bind/dist/lib/isccfg/parser.c
external/bsd/bind/dist/lib/lwres/context.c
external/bsd/bind/dist/lib/lwres/getaddrinfo.c
external/bsd/bind/dist/lib/lwres/getipnode.c
external/bsd/bind/dist/lib/lwres/getnameinfo.c
external/bsd/bind/dist/lib/lwres/getrrset.c
external/bsd/bind/dist/lib/lwres/lwinetaton.c
external/bsd/bind/dist/lib/lwres/print.c
external/bsd/bind/dist/lib/lwres/win32/lwconfig.c
external/bsd/bind/dist/lib/tests/t_api.c
external/bsd/bind/dist/libtool.m4
external/bsd/bind/dist/ltmain.sh
external/bsd/bind/dist/make/rules.in
external/bsd/bind/dist/o
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
external/bsd/bind/include/config.h
external/bsd/bind/include/dns/code.h
external/bsd/bind/include/dns/enumclass.h
external/bsd/bind/include/dns/enumtype.h
external/bsd/bind/include/dns/rdatastruct.h
external/bsd/bind/lib/libbind9/shlib_version
external/bsd/bind/lib/libdns/Makefile
external/bsd/bind/lib/libdns/shlib_version
external/bsd/bind/lib/libisc/Makefile
external/bsd/bind/lib/libisc/shlib_version
external/bsd/bind/lib/libisccc/shlib_version
external/bsd/bind/lib/libisccfg/shlib_version
external/bsd/bind/lib/liblwres/shlib_version
--- a/external/bsd/bind/Makefile.inc	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/Makefile.inc	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.13 2012/05/09 21:59:10 christos Exp $
+#	$NetBSD: Makefile.inc,v 1.14 2013/07/27 19:23:09 christos Exp $
 
 .if !defined(BIND9_MAKEFILE_INC)
 BIND9_MAKEFILE_INC=yes
@@ -89,10 +89,10 @@
 .endif
 
 .if ${NAMED_USE_OPENSSL} == "yes"
-CPPFLAGS+=-DOPENSSL
+CPPFLAGS+=-DOPENSSL -DGSSAPI -DUSE_ISC_SPNEGO
 .if !defined (LIB) || empty(LIB)
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
+LDADD+= -lgssapi -lkrb5 -lcrypto
+DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBCRYPTO}
 .else
 .if exists(${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto)
 LIBDPLIBS+=	crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto
--- a/external/bsd/bind/bin/named/Makefile	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/bin/named/Makefile	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.6 2012/09/23 17:22:22 joerg Exp $
+#	$NetBSD: Makefile,v 1.7 2013/07/27 19:23:09 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -11,7 +11,10 @@
 
 DIST=${IDIST}/bin/named
 CPPFLAGS+=-I${DIST}/include -I${DIST}/unix/include -DCONFIGARGS=\"defaults\"
-CPPFLAGS+=-DNO_VERSION_DATE
+CPPFLAGS+=-DNO_VERSION_DATE -DPRODUCT=\"BIND\" -DSRCID=\"${SRCID}\"
+CPPFLAGS+=-DDESCRIPTION=\"\(Extended\ Support\ Version\)\"
+
+.include "${IDIST}/srcid"
 
 .if defined(HAVE_GCC) || defined(HAVE_LLVM)
 .for f in client
--- a/external/bsd/bind/dist/CHANGES	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/CHANGES	Sat Jul 27 19:23:09 2013 +0000
@@ -1,13 +1,499 @@
-	--- 9.9.2-P1 released ---
-
-3407.	[security]	Named could die on specific queries with dns64 enabled.
-			[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
+	--- 9.9.3-P2 released ---
+
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
+
+	--- 9.9.3-P1 released ---
+
+3584.	[security]	Caching data from an incompletely signed zone could
+			trigger an assertion failure in resolver.c [RT #33690]
+
+	--- 9.9.3 released ---
+
+3568.	[cleanup]	Add a product description line to the version file,
+			to be reported by named -v/-V. [RT #33366]
+
+3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
+
+3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
+
+3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
+			or NOTIMP.  Adjust usage message. [RT #33363]
+
+	--- 9.9.3rc2 released ---
+
+3560.	[bug]		isc-config.sh did not honor includedir and libdir
+			when set via configure. [RT #33345]
+
+3559.	[func]		Check that both forms of Sender Policy Framework
+			records exist or do not exist. [RT #33355]
+
+3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
+
+3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
+
+3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
+
+3555.	[bug]		Address theoretical race conditions in acache.c
+			(change #3553 was incomplete). [RT #33252]
+
+3553.	[bug]		Address suspected double free in acache. [RT #33252]
+
+3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
+			[RT #33280]
+
+3549.	[doc]		Documentation for "request-nsid" was missing.
+			[RT #33153]
+
+3548.	[bug]		The NSID request code in resolver.c was broken
+			resulting in invalid EDNS options being sent.
+			[RT #33153]
+
+3547.	[bug]		Some malformed unknown rdata records were not properly
+			detected and rejected. [RT #33129]
+
+	--- 9.9.3rc1 released ---
+
+3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
+
+3544.	[contrib]	check5011.pl: Script to report the status of
+			managed keys as recorded in managed-keys.bind.
+			Contributed by Tony Finch <dot@dotat.at>
+
+3543.	[bug]		Update socket structure before attaching to socket
+			manager after accept. [RT #33084]
+
+3541.	[bug]		Parts of libdns were not properly initialized when
+			built in libexport mode. [RT #33028]
+
+3540.	[test]		libt_api: t_info and t_assert were not thread safe.
+
+3539.	[port]		win32: timestamp format didn't match other platforms.
+
+3538.	[test]		Running "make test" now requires loopback interfaces
+			to be set up. [RT #32452]
+
+3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
+			to peers before being dumped to disk rather than
+			after. [RT #27242]
+
+3535.	[bug]		Minor win32 cleanups. [RT #32962]
+
+3534.	[bug]		Extra text after an embedded NULL was ignored when
+			parsing zone files. [RT #32699]
+
+3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
+
+3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+3531.	[bug]		win32: A uninitialized value could be returned on out
+			of memory. [RT #32960]
+
+3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
+
+3528.	[func]		New "dnssec-coverage" command scans the timing
+			metadata for a set of DNSSEC keys and reports if a
+			lapse in signing coverage has been scheduled
+			inadvertently. (Note: This tool depends on python;
+			it will not be built or installed on systems that
+			do not have a python interpreter.) [RT #28098]
+
+3527.	[compat]	Add a URI to allow applications to explicitly
+			request a particular XML schema from the statistics
+			channel, returning 404 if not supported. [RT #32481]
+
+3526.	[cleanup]	Set up dependencies for unit tests correctly during
+			build. [RT #32803]
+
+3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+3520.	[bug]		'mctx' was not being referenced counted in some places
+			where it should have been.  [RT #32794]
+
+	--- 9.9.3b2 released ---
+
+3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
+
+3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
+
+3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
+			rndc-confgen were too constrained. Keys up to 512
+			bits are now allowed for most algorithms, and up
+			to 1024 bits for hmac-sha384 and hmac-sha512.
+			[RT #32753]
+
+3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
+
+3509.	[cleanup]	Added a product line to version file to allow for
+			easy naming of different products (BIND
+			vs BIND ESV, for example). [RT #32755]
+
+3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
+			[RT #32338]
+
+3507.	[bug]		Statistics channel XSL (when built with
+			--enable-newstats) had a glitch when attempting
+			to chart query data before any queries had been
+			received. [RT #32620]
+
+3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
+			larger values than 4 gigabytes could not be set
+			explicitly, though larger sizes were available
+			when setting cache size to 0. This has been
+			corrected; the full range is now available.
+			[RT #32358]
+
+3503.	[doc]		Clarify size_spec syntax. [RT #32449]
+
+3501.	[func]		zone-statistics now takes three options: full,
+			terse, and none. "yes" and "no" are retained as
+			synonyms for full and terse, respectively. [RT #29165]
+
+3500.	[security]	Support NAPTR regular expression validation on
+			all platforms without using libregex, which
+			can be vulnerable to memory exhaustion attack
+			(CVE-2013-2266). [RT #32688]
+
+3499.	[doc]		Corrected ARM documentation of built-in zones.
+			[RT #32694]
+
+3498.	[bug]		zone statistics for zones which matched a potential
+			empty zone could have their zone-statistics setting
+			overridden.
+
+3496.	[func]		Improvements to RPZ performance. The "response-policy"
+			syntax now includes a "min-ns-dots" clause, with
+			default 1, to exclude top-level domains from
+			NSIP and NSDNAME checking. --enable-rpz-nsip and
+			--enable-rpz-nsdname are now the default. [RT #32251]
+
+3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
+			contributed by Mark Goldfinch. [RT #32549]
+
+3492.	[bug]		Fixed a regression in zone loading performance
+			due to lock contention. [RT #30399]
+
+3491.	[bug]		Slave zones using inline-signing must specify a
+			file name. [RT #31946]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			When cloning a rdataset do not copy the link contents.
+			[RT #32651]
+
+3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
+
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+			[RT #32629]
+
+3486.	[bug]		named could crash when using TKEY-negotiated keys
+			that had been deleted and then recreated. [RT #32506]
+
+3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
+
+3483.	[bug]		Corrected XSL code in use with --enable-newstats.
+			[RT #32587]
+
+3481.	[cleanup]	Removed use of const const in atf.
+
+3480.	[bug]		Silence logging noise when setting up zone
+			statistics. [RT #32525]
+
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
+3478.	[port]		Fix a build failure in strict C99 environments
+			[RT #32475]
+
+3474.	[bug]		nsupdate could assert when the local and remote
+			address families didn't match. [RT #22897]
+
+3473.	[bug]		dnssec-signzone/verify could incorrectly report
+			an error condition due to an empty node above an
+			opt-out delegation lacking an NSEC3. [RT #32072]
+
+3471.	[bug]		The number of UDP dispatches now defaults to
+			the number of CPUs even if -n has been set to
+			a higher value. [RT #30964]
+
+3470.	[bug]		Slave zones could fail to dump when successfully
+			refreshing after an initial failure. [RT #31276]
+
+	--- 9.9.3b1 released ---
+
+3468.	[security]	RPZ rules to generate A records (but not AAAA records)
+			could trigger an assertion failure when used in
+			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+
+3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
+			to check for delete date < inactive date. [RT #31719]
+
+3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+			in DLZ example driver. [RT #32275]
+
+3465.	[bug]		Handle isolated reserved ports. [RT #31778]
+
+3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
+			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
+
+3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
+
+3462.	[doc]		Clarify server selection behavior of dig when using
+			-4 or -6 options. [RT #32181]
+
+3461.	[bug]		Negative responses could incorrectly have AD=1
+			set. [RT #32237]
+
+3460.	[bug]		Only link against readline where needed. [RT #29810]
+
+3458.	[bug]		Return FORMERR when presented with a overly long
+			domain named in a request. [RT #29682]
+
+3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
+
+3456.	[port]		g++47: ATF failed to compile. [RT #32012]
+
+3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
+
+3454.	[port]		sparc64: improve atomic support. [RT #25182]
+
+3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
+			failed. [RT #31960]
+
+3452.	[bug]		Accept duplicate singleton records. [RT #32329]
+
+3451.	[port]		Increase per thread stack size from 64K to 1M.
+			[RT #32230]
+
+3450.	[bug]		Stop logfileconfig system test spam system logs.
+			[RT #32315]
+
+3449.	[bug]		gen.c: use the pre-processor to construct format
+			strings so that compiler can perform sanity checks;
+			check the snprintf results. [RT #17576]
+
+3448.	[bug]		The allow-query-on ACL was not processed correctly.
+			[RT #29486]
+
+3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
+
+3446.	[port]		win32: Add source ID (see change #3400) to build.
+			[RT #31683]
+
+3445.	[bug]		Warn about zone files with blank owner names
+			immediately after $ORIGIN directives. [RT #31848]
+
+3444.	[bug]		The NOQNAME proof was not being returned from cached
+			insecure responses. [RT #21409]
+
+3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
+			rejected when generating keys. [RT #31927]
+
+3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
+			change. [RT #32216]
+
+3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
+
+3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
+			cleaning up due to out of memory error. [RT #32131]
+
+3439.	[bug]		contrib/dlz error checking fixes. [RT #32102]
+
+3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
+
+3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
+			buffers with constant data. [RT #32064]
+
+3436.	[bug]		Check malloc/calloc return values. [RT #32088]
+
+3435.	[bug]		Cross compilation support in configure was broken.
+			[RT #32078]
+
+3431.	[bug]		ddns-confgen: Some valid key algorithms were
+			not accepted. [RT #31927]
+
+3430.	[bug]		win32: isc_time_formatISO8601 was missing the
+			'T' between the date and time. [RT #32044]
+
+3429.	[bug]		dns_zone_getserial2 could a return success without
+			returning a valid serial. [RT #32007]
+
+3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
+
+3427.	[bug]		dig +trace incorrectly displayed name server
+			addresses instead of names. [RT #31641]
+
+3426.	[bug]		dnssec-checkds: Clearer output when records are not
+			found. [RT #31968]
+
+3425.	[bug]		"acacheentry" reference counting was broken resulting
+			in use after free. [RT #31908]
+
+3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
+			[RT #31951]
+
+3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
+			range of possible values.  Address portability issues.
+			[RT #31938]
+
+3422.	[bug]		Added a clear error message for when the SOA does not
+			match the referral. [RT #31281]
+
+3421.	[bug]		Named loops when re-signing if all keys are offline.
+			[RT #31916]
+
+3420.	[bug]		Address VPATH compilation issues. [RT #31879]
+
+3419.	[bug]		Memory leak on validation cancel. [RT #31869]
+
+3417.	[func]		Optional new XML schema (version 3.0) for the
+			statistics channel adds query type statistics at the
+			zone level, and flattens the XML tree and uses
+			compressed format to optimize parsing. Includes new XSL
+			that permits charting via the Google Charts API on
+			browsers that support javascript in XSL.  To enable,
+			build with "configure --enable-newstats". [RT #30023]
+
+3416.	[bug]		Named could die on shutdown if running with 128 UDP
+			dispatches per interface. [RT #31743]
+
+3415.	[bug]		named could die with a REQUIRE failure if a validation
+			was canceled. [RT #31804]
+
+3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
+
+3412.	[bug]		Copy timeval structure from control message data.
+			[RT #31548]
+
+3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
+			to UDP. [RT #31690]
+
+3410.	[bug]		Addressed Coverity warnings. [RT #31626]
+
+3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+			from X.509 certificates, for use with DANE
+			(DNS-based Authentication of Named Entities).
+			[RT #30513]
+
+3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
+			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+			are now legal in slave zones as long as
+			inline-signing is in use. [RT #31078]
+
+3406.	[bug]		mem.c: Fix compilation errors when building with
+			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
+3405.	[bug]		Handle time going backwards in acache. [RT #31253]
+
+3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
+			RRSIG and NSEC records from nodes that used to be
+			in-zone but are now below a zone cut. [RT #31556]
+
+3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
+
+3402.	[test]		The IPv6 interface numbers used for system
+			tests were incorrect on some platforms. [RT #25085]
+
+3401.	[bug]		Addressed Coverity warnings. [RT #31484]
+
+3400.	[cleanup]	"named -V" can now report a source ID string, defined
+			in the "srcid" file in the build tree and normally set
+			to the most recent git hash.  [RT #31494]
+
+3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
+			clash.  [RT #31515]
+
+3398.	[bug]		SOA parameters were not being updated with inline
+			signed zones if the zone was modified while the
+			server was offline. [RT #29272]
+
+3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
+
+3396.	[bug]		OPT records were incorrectly removed from signed,
+			truncated responses. [RT #31439]
+
+3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
+			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
+			[RT #31336]
+
+3394.	[bug]		Adjust 'successfully validated after lower casing
+			signer' log level and category. [RT #31414]
+
+3393.	[bug]		'host -C' could core dump if REFUSED was received.
+			[RT #31381]
+
+3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
+			[RT #31262]
+
+3390.	[bug]		Silence clang compiler warnings. [RT #30417]
+
+3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
+
+3388.	[bug]		Fixed several Coverity warnings.
+			Note: This change includes a fix for a bug that
+			was subsequently determined to be an exploitable
+			security vulnerability, CVE-2012-5688: named could
+			die on specific queries with dns64 enabled.
+			[RT #30996]
+
+3386.	[bug]		Address locking violation when generating new NSEC /
+			NSEC3 chains. [RT #31224]
+
+3385.	[bug]		named-checkconf didn't detect missing master lists
+			in also-notify clauses. [RT #30810]
+
+3384.	[bug]		Improved logging of crypto errors. [RT #30963]
+
+3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
+			if set, regardless of the address family in use.
+			[RT #24173]
+
+3381.	[contrib]	Update queryperf to support more RR types.
+			[RT #30762]
+
+3380.	[bug]		named could die if a nonexistent master list was
+			referenced in a also-notify. [RT #31004]
+
+3379.	[bug]		isc_interval_zero and isc_time_epoch should be
+			"const (type)* const". [RT #31069]
+
+3378.	[bug]		Handle missing 'managed-keys-directory' better.
+			[RT #30625]
+
+3377.	[bug]		Removed spurious newline from NSEC3 multiline
+			output. [RT #31044]
+
+3376.	[bug]		Lack of EDNS support was being recorded without a
+			successful response. [RT #30811]
+
+3375.	[func]		Check that 'rndc dumpdb' works on a empty cache.
+			[RT #30808]
+
+3374.	[bug]		isc_parse_uint32 failed to return a range error on
+			systems with 64 bit longs. [RT #30232]
+
+3372.	[bug]		Silence spurious "deleted from unreachable cache"
+			messages.  [RT #30501]
+
+3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
+			add NS RRsets to the additional section or not.
+			[RT #30479]
+
+3316.	[tuning]	Improved locking performance when recursing.
+			[RT #28836]
+
+3315.	[tuning]	Use multiple dispatch objects for sending upstream
+			queries; this can improve performance on busy
+			multiprocessor systems by reducing lock contention.
+			[RT #28605]
 
 	--- 9.9.2 released ---
 
 3383.	[security]	A certain combination of records in the RBT could
-                        cause named to hang while populating the additional
-                        section of a response. [RT #31090]
+			cause named to hang while populating the additional
+			section of a response. [RT #31090]
 
 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 
@@ -124,7 +610,7 @@
 			to get an answer. [RT #29492]
 
 3334.	[bug]		Hold a zone table reference while performing a
-			asyncronous load of a zone. [RT #28326]
+			asynchronous load of a zone. [RT #28326]
 
 3333.	[bug]		Setting resolver-query-timeout too low can cause
 			named to not recover if it loses connectivity.
@@ -164,11 +650,11 @@
 	--- 9.9.1 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a
-			bucket lock when finshed with a fetch context.
+			bucket lock when finished with a fetch context.
 			[RT #29239]
 
-3314.	[bug]		The masters list could be updated while refesh_callback
-			and stub_callback were using it. [RT #26732]
+3314.	[bug]		The masters list could be updated while stub_callback
+			or refresh_callback were using it. [RT #26732]
 
 3313.	[protocol]	Add TLSA record type. [RT #28989]
 
@@ -180,7 +666,7 @@
 
 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 
-3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
+3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 			[RT #27995]
 
 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
@@ -396,7 +882,7 @@
 			have different serial numbers.
 
 			(Note: raw zonefiles generated by this version of
-			BIND are no longer compatble with prior versions.
+			BIND are no longer compatible with prior versions.
 			To generate a backward-compatible raw zonefile
 			using dnssec-signzone or named-compilezone, specify
 			output format "raw=0" instead of simply "raw".)
@@ -430,7 +916,7 @@
 3232.	[bug]		Zero zone->curmaster before return in
 			dns_zone_setmasterswithkeys(). [RT #26732]
 
-3231.	[bug]		named could fail to send a uncompressable zone.
+3231.	[bug]		named could fail to send a incompressible zone.
 			[RT #26796]
 
 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
@@ -458,7 +944,7 @@
 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 			dns_journal_{get,set}_sourceserial. [RT #26634]
 
-3221.	[bug]		Fixed a potential coredump on shutdown due to
+3221.	[bug]		Fixed a potential core dump on shutdown due to
 			referencing fetch context after it's been freed.
 			[RT #26720]
 
@@ -498,7 +984,7 @@
 
 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 
-3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
+3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 			[RT #25522]
 
 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
@@ -506,7 +992,7 @@
 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 
 3205.	[func]		Upgrade dig's defaults to better reflect modern
-			nameserver behaviour.  Enable "dig +adflag" and
+			nameserver behavior.  Enable "dig +adflag" and
 			"dig +edns=0" by default.  Enable "+dnssec" when
 			running "dig +trace". [RT #23497]
 
@@ -517,7 +1003,7 @@
 3203.	[bug]		Increase log level to 'info' for validation failures
 			from expired or not-yet-valid RRSIGs. [RT #21796]
 
-3202.	[bug]		NOEDNS caching on timeout was too agressive.
+3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 			[RT #26416]
 
 3201.	[func]		'rndc querylog' can now be given an on/off parameter
@@ -969,7 +1455,7 @@
 			key.  When possible, automatic signing will use that
 			TTL when the key is published.  [RT #23304]
 
-3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 			timestamp when determining which keys are active.
 			[RT #23642]
 
@@ -983,7 +1469,7 @@
 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 			[RT #20256]
 
-3071.	[bug]		has_nsec could be used unintialised in
+3071.	[bug]		has_nsec could be used uninitialized in
 			update.c:next_active. [RT #20256]
 
 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
@@ -1052,7 +1538,7 @@
 
 3052.	[test]		Fixed last autosign test report. [RT #23256]
 
-3051.	[bug]		NS records obsure DNAME records at the bottom of the
+3051.	[bug]		NS records obscure DNAME records at the bottom of the
 			zone if both are present. [RT #23035]
 
 3050.	[bug]		The autosign system test was timing dependent.
@@ -1062,7 +1548,7 @@
 3049.	[bug]		Save and restore the gid when creating creating
 			named.pid at startup. [RT #23290]
 
-3048.	[bug]		Fully separate view key mangement. [RT #23419]
+3048.	[bug]		Fully separate view key management. [RT #23419]
 
 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 			validator.c. Tests added to dnssec system test.
@@ -1402,7 +1888,7 @@
 			no data response. [RT #21744]
 
 2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialise winsock. [RT #21932]
+			to initialize winsock. [RT #21932]
 
 2951.	[bug]		named failed to generate a correct signed response
 			in a optout, delegation only zone with no secure
@@ -1448,7 +1934,7 @@
 			in use. [RT# 21868]
 
 2938.	[bug]		When generating signed responses, from a signed zone
-			that uses NSEC3, named would use a uninitialised
+			that uses NSEC3, named would use a uninitialized
 			pointer if it needed to skip a NSEC3 record because
 			it didn't match the selected NSEC3PARAM record for
 			zone. [RT# 21868]
@@ -1502,7 +1988,7 @@
 			revisit the issue and complete the fix later.
 			[RT #21710]
 
-2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 			allow dynamic addition and deletion of zones.
 			To enable this feature, specify a "new-zone-file"
 			option at the view or options level in named.conf.
@@ -1678,7 +2164,7 @@
 			successfully responds to the query using plain DNS.
 			[RT #20930]
 
-2873.	[bug]		Cancelling a dynamic update via the dns/client module
+2873.	[bug]		Canceling a dynamic update via the dns/client module
 			could trigger an assertion failure. [RT #21133]
 
 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
@@ -1720,7 +2206,7 @@
 
 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 
-2859.	[bug]		When cancelling validation it was possible to leak
+2859.	[bug]		When canceling validation it was possible to leak
 			memory. [RT #20800]
 
 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
@@ -2273,7 +2759,7 @@
 
 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 			DHCP.  Modify the api to isc_sockfdwatch_t (the
-			callback functon for isc_socket_fdwatchcreate)
+			callback function for isc_socket_fdwatchcreate)
 			to include information about the direction (read
 			or write) and add isc_socket_fdwatchpoke.
 			[RT #20253]
@@ -2338,7 +2824,7 @@
 			  sets the time when a key is no longer used for
 			  signing but is still published.
 			- The "unpublished" date (-U) is deprecated in
-			  favour of "deleted" (-D).
+			  favor of "deleted" (-D).
 			[RT #20247]
 
 2676.	[bug]		--with-export-installdir should have been
@@ -2784,7 +3270,7 @@
 
 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
 
-2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
+2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
 			[RT #19340]
 
 2551.	[bug]		Potential Reference leak on return. [RT #19341]
@@ -2837,7 +3323,7 @@
 
 2534.	[func]		Check NAPTR records regular expressions and
 			replacement strings to ensure they are syntactically
-			valid and consistant. [RT #18168]
+			valid and consistent. [RT #18168]
 
 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
 
--- a/external/bsd/bind/dist/REDIRECT-NOTES	Sat Jul 27 19:22:10 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-Redirect zones are used to find answers to queries when normal resolution
-would result in NXDOMAIN being returned.  Only one redirect zone per view
-is currently supported.
-
-To redirect to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2 on NXDOMAIN
-one would configure the redirect zone like this.
-
-zone "." {
-	type redirect;
-	file "redirect.db";
-};
-
-redirect.db:
-$TTL 300
-@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
-@ IN NS ns.example.net
-;
-; NS records do not need address records in this zone as it is not in the
-; normal namespace.
-;
-*. IN A 100.100.100.2
-*. IN AAAA 2001:ffff:ffff::100.100.100.2
-
-To redirect all Spanish names (under .ES) one would use entries like these:
-
-*.ES. IN A 100.100.100.3
-*.ES. IN AAAA 2001:ffff:ffff::100.100.100.3
-
-To redirect all commercial Spanish names (under COM.ES) one would use
-entries like these:
-*.COM.ES. IN A 100.100.100.4
-*.COM.ES. IN AAAA 2001:ffff:ffff::100.100.100.4
-
-The redirect zone supports all possible types.  It is not limited to
-A and AAAA record.
--- a/external/bsd/bind/dist/bin/check/check-tool.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/check/check-tool.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: check-tool.c,v 1.4 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: check-tool.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -198,6 +198,10 @@
 		a->type == dns_rdatatype_a);
 	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
 		aaaa->type == dns_rdatatype_aaaa);
+
+	if (a == NULL || aaaa == NULL)
+		return (answer);
+
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
 	hints.ai_family = PF_UNSPEC;
@@ -260,8 +264,7 @@
 		}
 		return (ISC_TRUE);
 	}
-	if (a == NULL || aaaa == NULL)
-		return (answer);
+
 	/*
 	 * Check that all glue records really exist.
 	 */
@@ -599,7 +602,7 @@
 
 	dns_zone_settype(zone, dns_zone_master);
 
-	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkconf.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -297,6 +297,18 @@
 	}
 
 	obj = NULL;
+	if (get_maps(maps, "check-spf", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKSPF;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKSPF;
+	}
+
+	obj = NULL;
 	if (get_checknames(maps, &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
 			zone_options |= DNS_ZONEOPT_CHECKNAMES;
@@ -474,6 +486,7 @@
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
--- a/external/bsd/bind/dist/bin/check/named-checkzone.8	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.8	Sat Jul 27 19:23:09 2013 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named-checkzone.8,v 1.3 2012/06/05 00:38:49 christos Exp $
+.\"	$NetBSD: named-checkzone.8,v 1.4 2013/07/27 19:23:09 christos Exp $
 .\"
-.\" Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -35,9 +35,9 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
@@ -251,6 +251,14 @@
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
 .RE
 .PP
+\-T \fImode\fR
+.RS 4
+Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
+\fB"warn"\fR
+(default),
+\fB"ignore"\fR.
+.RE
+.PP
 \-w \fIdirectory\fR
 .RS 4
 chdir to
@@ -296,7 +304,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/check/named-checkzone.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkzone.c,v 1.4 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: named-checkzone.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -156,19 +156,21 @@
 	if (progmode == progmode_compile) {
 		zone_options |= (DNS_ZONEOPT_CHECKNS |
 				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF |
 				 DNS_ZONEOPT_CHECKDUPRR |
 				 DNS_ZONEOPT_CHECKNAMES |
 				 DNS_ZONEOPT_CHECKNAMESFAIL |
 				 DNS_ZONEOPT_CHECKWILDCARD);
 	} else
-		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKSPF);
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((c = isc_commandline_parse(argc, argv,
-			       "c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:W:"))
+			       "c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@@ -385,6 +387,18 @@
 			}
 			break;
 
+		case 'T':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKSPF;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+			} else {
+				fprintf(stderr, "invalid argument to -T: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'W':
 			if (ARGCMP("warn"))
 				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
@@ -396,6 +410,7 @@
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
--- a/external/bsd/bind/dist/bin/confgen/keygen.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/confgen/keygen.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: keygen.c,v 1.3 2012/06/05 00:38:51 christos Exp $	*/
+/*	$NetBSD: keygen.c,v 1.4 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -128,13 +128,17 @@
 
 	switch (alg) {
 	    case DST_ALG_HMACMD5:
+	    case DST_ALG_HMACSHA1:
+	    case DST_ALG_HMACSHA224:
+	    case DST_ALG_HMACSHA256:
 		if (keysize < 1 || keysize > 512)
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
 		break;
-	    case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 256)
-			fatal("keysize %d out of range (must be 1-256)\n",
+	    case DST_ALG_HMACSHA384:
+	    case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024)
+			fatal("keysize %d out of range (must be 1-1024)\n",
 			      keysize);
 		break;
 	    default:
--- a/external/bsd/bind/dist/bin/confgen/rndc-confgen.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/confgen/rndc-confgen.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: rndc-confgen.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: rndc-confgen.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -143,8 +143,6 @@
 			keysize = strtol(isc_commandline_argument, &p, 10);
 			if (*p != '\0' || keysize < 0)
 				fatal("-b requires a non-negative number");
-			if (keysize < 1 || keysize > 512)
-				fatal("-b must be in the range 1 through 512");
 			break;
 		case 'c':
 			keyfile = isc_commandline_argument;
--- a/external/bsd/bind/dist/bin/dig/dig.1	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.1	Sat Jul 27 19:23:09 2013 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dig.1,v 1.4 2012/06/05 00:38:52 christos Exp $
+.\"	$NetBSD: dig.1,v 1.5 2013/07/27 19:23:09 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -59,7 +59,9 @@
 Unless it is told to query a specific name server,
 \fBdig\fR
 will try each of the servers listed in
-\fI/etc/resolv.conf\fR.
+\fI/etc/resolv.conf\fR. If no usable server addreses are found,
+\fBdig\fR
+will send the query to the local host.
 .PP
 When no command line arguments or options are given,
 \fBdig\fR
@@ -97,13 +99,20 @@
 \fIserver\fR
 argument is a hostname,
 \fBdig\fR
-resolves that name before querying that name server. If no
+resolves that name before querying that name server.
+.sp
+If no
 \fIserver\fR
 argument is provided,
 \fBdig\fR
 consults
-\fI/etc/resolv.conf\fR
-and queries the name servers listed there. The reply from the name server that responds is displayed.
+\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
+\fB\-4\fR
+or
+\fB\-6\fR
+options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
+\fBdig\fR
+will send the query to the local host. The reply from the name server that responds is displayed.
 .RE
 .PP
 \fBname\fR
@@ -590,7 +599,7 @@
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/dig.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dig.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: dig.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -190,7 +190,7 @@
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
-"                 +edns=###           (Set EDNS version) [0]\n"
+"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
 "                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
@@ -247,6 +247,8 @@
 	isc_uint64_t diff;
 	isc_time_t now;
 	time_t tnow;
+	struct tm tmnow;
+	char time_str[100];
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@@ -258,7 +260,10 @@
 		printf(";; Query time: %ld msec\n", (long int)diff/1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
-		printf(";; WHEN: %s", ctime(&tnow));
+		tmnow  = *localtime(&tnow);
+		if (strftime(time_str, sizeof(time_str),
+			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+			printf(";; WHEN: %s\n", time_str);
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
 			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@@ -266,7 +271,6 @@
 			       query->byte_count);
 		} else {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
-
 		}
 		if (key != NULL) {
 			if (!validated)
@@ -283,7 +287,7 @@
 		       "from %s(%s) in %d ms\n\n",
 		       query->lookup->doing_xfr ?
 				query->byte_count : (isc_uint64_t)bytes,
-		       fromtext, query->servname,
+		       fromtext, query->userarg,
 		       (int)diff/1000);
 	}
 }
@@ -546,6 +550,13 @@
 				printf(";; WARNING: recursion requested "
 				       "but not available\n");
 		}
+		if (msg != query->lookup->sendmsg &&
+		    query->lookup->edns != -1 && msg->opt == NULL &&
+		    (msg->rcode == dns_rcode_formerr ||
+		     msg->rcode == dns_rcode_notimp))
+			printf("\n;; WARNING: EDNS query returned status "
+			       "%s - retry with '+noedns'\n",
+			       rcode_totext(msg->rcode));
 		if (msg != query->lookup->sendmsg && extrabytes != 0U)
 			printf(";; WARNING: Messages has %u extra byte%s at "
 			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
@@ -877,8 +888,10 @@
 			lookup->edns = -1;
 			break;
 		}
-		if (value == NULL)
-			goto need_value;
+		if (value == NULL) {
+			lookup->edns = 0;
+			break;
+		}
 		result = parse_uint(&num, value, 255, "edns");
 		if (result != ISC_R_SUCCESS)
 			fatal("Couldn't parse edns");
--- a/external/bsd/bind/dist/bin/dig/dighost.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dig/dighost.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dighost.c,v 1.9 2012/06/05 00:38:53 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.10 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -793,6 +793,7 @@
 	looknew->need_search = ISC_FALSE;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
+	ISC_LIST_INIT(looknew->connecting);
 	ISC_LIST_INIT(looknew->my_server_list);
 	return (looknew);
 }
@@ -814,11 +815,11 @@
 
 	looknew = make_empty_lookup();
 	INSIST(looknew != NULL);
-	strncpy(looknew->textname, lookold->textname, MXNAME);
+	strlcpy(looknew->textname, lookold->textname, MXNAME);
 #if DIG_SIGCHASE_TD
-	strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
+	strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
 #endif
-	strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
+	strlcpy(looknew->cmdline, lookold->cmdline, MXNAME);
 	looknew->textname[MXNAME-1] = 0;
 	looknew->rdtype = lookold->rdtype;
 	looknew->qrdtype = lookold->qrdtype;
@@ -995,7 +996,7 @@
 	len = strlen(hmac);
 	if (len >= (int) sizeof(buf))
 		fatal("unknown key type '%.*s'", len, hmac);
-	strncpy(buf, hmac, sizeof(buf));
+	strlcpy(buf, hmac, sizeof(buf));
 
 	digestbits = 0;
 
@@ -1077,8 +1078,8 @@
 	secretstr = cfg_obj_asstring(secretobj);
 	algorithm = cfg_obj_asstring(algorithmobj);
 
-	strncpy(keynametext, keyname, sizeof(keynametext));
-	strncpy(keysecret, secretstr, sizeof(keysecret));
+	strlcpy(keynametext, keyname, sizeof(keynametext));
+	strlcpy(keysecret, secretstr, sizeof(keysecret));
 	parse_hmac(algorithm);
 	setup_text_key();
 
@@ -1161,7 +1162,7 @@
 	if (search == NULL)
 		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
-	strncpy(search->origin, domain, MXNAME);
+	strlcpy(search->origin, domain, MXNAME);
 	search->origin[MXNAME-1] = 0;
 	ISC_LINK_INIT(search, link);
 	return (search);
@@ -1470,7 +1471,10 @@
 	if (lookup->current_query == query)
 		lookup->current_query = NULL;
 
-	ISC_LIST_UNLINK(lookup->q, query, link);
+	if (ISC_LINK_LINKED(query, link))
+		ISC_LIST_UNLINK(lookup->q, query, link);
+	if (ISC_LINK_LINKED(query, clink))
+		ISC_LIST_UNLINK(lookup->connecting, query, clink);
 	if (ISC_LINK_LINKED(&query->recvbuf, link))
 		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
 				 link);
@@ -1478,6 +1482,7 @@
 		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
 				 link);
 	INSIST(query->recvspace != NULL);
+
 	if (query->sock != NULL) {
 		isc_socket_detach(&query->sock);
 		sockcount--;
@@ -1505,13 +1510,22 @@
 
 	debug("try_clear_lookup(%p)", lookup);
 
-	if (ISC_LIST_HEAD(lookup->q) != NULL) {
+	if (ISC_LIST_HEAD(lookup->q) != NULL ||
+	    ISC_LIST_HEAD(lookup->connecting) != NULL)
+	{
 		if (debugging) {
 			q = ISC_LIST_HEAD(lookup->q);
 			while (q != NULL) {
 				debug("query to %s still pending", q->servname);
 				q = ISC_LIST_NEXT(q, link);
 			}
+
+			q = ISC_LIST_HEAD(lookup->connecting);
+			while (q != NULL) {
+				debug("query to %s still connecting",
+				      q->servname);
+				q = ISC_LIST_NEXT(q, clink);
+			}
 		}
 		return (ISC_FALSE);
 	}
@@ -1639,7 +1653,7 @@
 				= current_lookup->rdclassset;
 			current_lookup->rdclass = dns_rdataclass_in;
 
-			strncpy(current_lookup->textnamesigchase,
+			strlcpy(current_lookup->textnamesigchase,
 				current_lookup->textname, MXNAME);
 
 			current_lookup->trace_root_sigchase = ISC_TRUE;
@@ -1651,7 +1665,7 @@
 			check_result(result, "dns_name_totext");
 			isc_buffer_usedregion(b, &r);
 			r.base[r.length] = '\0';
-			strncpy(current_lookup->textname, (char*)r.base,
+			strlcpy(current_lookup->textname, (char*)r.base,
 				MXNAME);
 			isc_buffer_free(&b);
 
@@ -2288,7 +2302,6 @@
 		query->rr_count = 0;
 		query->msg_count = 0;
 		query->byte_count = 0;
-		ISC_LINK_INIT(query, link);
 		ISC_LIST_INIT(query->recvlist);
 		ISC_LIST_INIT(query->lengthlist);
 		query->sock = NULL;
@@ -2301,6 +2314,7 @@
 		isc_buffer_init(&query->slbuf, query->slspace, 2);
 		query->sendbuf = lookup->renderbuf;
 
+		ISC_LINK_INIT(query, clink);
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
 	}
@@ -2343,7 +2357,7 @@
 	query->waiting_senddone = ISC_FALSE;
 	l = query->lookup;
 
-	if (l->ns_search_only && !l->trace_root) {
+	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
 		if (next != NULL)
@@ -2422,6 +2436,7 @@
 force_timeout(dig_lookup_t *l, dig_query_t *query) {
 	isc_event_t *event;
 
+	debug("force_timeout ()");
 	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
 				   connect_timeout, l,
 				   sizeof(isc_event_t));
@@ -2489,6 +2504,7 @@
 		send_tcp_connect(next);
 		return;
 	}
+
 	INSIST(query->sock == NULL);
 	result = isc_socket_create(socketmgr,
 				   isc_sockaddr_pf(&query->sockaddr),
@@ -2519,6 +2535,9 @@
 	if (l->ns_search_only && !l->trace_root) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
+		if (ISC_LINK_LINKED(query, link))
+			ISC_LIST_DEQUEUE(l->q, query, link);
+		ISC_LIST_ENQUEUE(l->connecting, query, clink);
 		if (next != NULL)
 			send_tcp_connect(next);
 	}
@@ -2599,7 +2618,7 @@
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL, *cq;
+	dig_query_t *query = NULL, *next, *cq;
 
 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@@ -2623,7 +2642,9 @@
 			if (query->sock != NULL)
 				isc_socket_cancel(query->sock, NULL,
 						  ISC_SOCKCANCEL_ALL);
-			send_tcp_connect(ISC_LIST_NEXT(cq, link));
+			next = ISC_LIST_NEXT(cq, link);
+			if (next != NULL)
+				send_tcp_connect(next);
 		}
 		UNLOCK_LOOKUP;
 		return;
@@ -2866,9 +2887,8 @@
 		if (next != NULL) {
 			bringup_timer(next, TCP_TIMEOUT);
 			send_tcp_connect(next);
-		} else {
+		} else
 			check_next_lookup(l);
-		}
 		UNLOCK_LOOKUP;
 		return;
 	}
@@ -3425,6 +3445,7 @@
 				if (n == 0)
 					docancel = ISC_TRUE;
 				l->trace_root = ISC_FALSE;
+				usesearch = ISC_FALSE;
 			} else
 #ifdef DIG_SIGCHASE
 				if (!do_sigchase)
@@ -3601,15 +3622,19 @@
  */
 void
 do_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query;
 
 	REQUIRE(lookup != NULL);
 
 	debug("do_lookup()");
 	lookup->pending = ISC_TRUE;
-	if (lookup->tcp_mode)
-		send_tcp_connect(ISC_LIST_HEAD(lookup->q));
-	else
-		send_udp(ISC_LIST_HEAD(lookup->q));
+	query = ISC_LIST_HEAD(lookup->q);
+	if (query != NULL) {
+		if (lookup->tcp_mode)
+			send_tcp_connect(query);
+		else
+			send_udp(query);
+	}
 }
 
 /*%
@@ -4081,7 +4106,7 @@
 	check_result(result, "dns_name_totext");
 	isc_buffer_usedregion(b, &r);
 	r.base[r.length] = '\0';
-	strcpy(lookup->textname, (char*)r.base);
+	strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname));
 	isc_buffer_free(&b);
 
 	if (type ==  dns_rdatatype_rrsig)
@@ -4206,7 +4231,7 @@
 			return (ISC_R_NOMEMORY);
 
 		memset(tempnamekey, 0, tempnamekeylen);
-		strncpy(tempnamekey, tempname, tempnamelen);
+		strlcpy(tempnamekey, tempname, tempnamelen);
 		strcat(tempnamekey ,".key");
 
 
@@ -4340,7 +4365,7 @@
 	lookup->new_search = ISC_TRUE;
 	lookup->trace_root_sigchase = ISC_FALSE;
 
-	strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
+	strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME);
 
 	lookup->rdtype = lookup->rdtype_sigchase;
 	lookup->rdtypeset = ISC_TRUE;
@@ -4399,7 +4424,7 @@
 				dns_rdata_totext(&aaaa, &ns.name, b);
 				isc_buffer_usedregion(b, &r);
 				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
+				strlcpy(namestr, (char*)r.base,
 					DNS_NAME_FORMATSIZE);
 				isc_buffer_free(&b);
 				dns_rdata_reset(&aaaa);
@@ -4428,7 +4453,7 @@
 				dns_rdata_totext(&a, &ns.name, b);
 				isc_buffer_usedregion(b, &r);
 				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
+				strlcpy(namestr, (char*)r.base,
 					DNS_NAME_FORMATSIZE);
 				isc_buffer_free(&b);
 				dns_rdata_reset(&a);
@@ -4607,7 +4632,6 @@
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *trustedKey = NULL;
 	dst_key_t *dnsseckey = NULL;
 	int i;
 
@@ -4651,10 +4675,6 @@
 			dst_key_free(&dnsseckey);
 	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
 
-	if (trustedKey != NULL)
-		dst_key_free(&trustedKey);
-	trustedKey = NULL;
-
 	return (ISC_R_NOTFOUND);
 }
 
--- a/external/bsd/bind/dist/bin/dig/host.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dig/host.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: host.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: host.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -449,10 +449,18 @@
 	if (msg->rcode != 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n",
-		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-		       query->lookup->textname, msg->rcode,
-		       rcode_totext(msg->rcode));
+
+		if (query->lookup->identify_previous_line)
+			printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
+			       query->servname,
+			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+			       query->lookup->textname, msg->rcode,
+			       rcode_totext(msg->rcode));
+		else
+			printf("Host %s not found: %d(%s)\n",
+			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+			       query->lookup->textname, msg->rcode,
+			       rcode_totext(msg->rcode));
 		return (ISC_R_SUCCESS);
 	}
 
--- a/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dig.h,v 1.6 2012/06/05 00:38:55 christos Exp $	*/
+/*	$NetBSD: dig.h,v 1.7 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -170,6 +170,7 @@
 	dns_name_t *oname;
 	ISC_LINK(dig_lookup_t) link;
 	ISC_LIST(dig_query_t) q;
+	ISC_LIST(dig_query_t) connecting;
 	dig_query_t *current_query;
 	dig_serverlist_t my_server_list;
 	dig_searchlist_t *origin;
@@ -216,6 +217,7 @@
 		slspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
+	ISC_LINK(dig_query_t) clink;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
 	isc_uint64_t byte_count;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.6 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.7 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
  * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -286,7 +286,9 @@
 		}
 	}
 
-	result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
+	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
+				     &textb);
+
 	if (result != ISC_R_SUCCESS)
 		fatal("can't print rdata");
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.9 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.10 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
  * Copyright (C) 2007-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -368,6 +368,8 @@
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
 				"specify \"-a RSAMD5\"\n");
+		if (freeit != NULL)
+			free(freeit);
 		return (1);
 	} else {
 		r.base = algname;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.10 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.11 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -538,6 +538,7 @@
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
 			return (1);
 		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
 			alg = DST_ALG_HMACMD5;
@@ -964,8 +965,15 @@
 				dst_key_settime(key, DST_TIME_INACTIVE,
 						inactive);
 
-			if (setdel)
+			if (setdel) {
+				if (setinact && delete < inactive)
+					fprintf(stderr, "%s: warning: Key is "
+						"scheduled to be deleted "
+						"before it is scheduled to be "
+						"made inactive.\n",
+						program);
 				dst_key_settime(key, DST_TIME_DELETE, delete);
+			}
 		} else {
 			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-revoke.c,v 1.4 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-revoke.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,7 +22,6 @@
 
 #include <config.h>
 
-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-settime.c,v 1.6 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.7 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,7 +22,6 @@
 
 #include <config.h>
 
-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <errno.h>
@@ -144,6 +143,7 @@
 	dns_ttl_t	ttl = 0;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+	isc_stdtime_t	prevact = 0, previnact = 0, prevdel = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
@@ -356,7 +356,6 @@
 
 	if (predecessor != NULL) {
 		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t when;
 		int major, minor;
 
 		if (prepub == -1)
@@ -388,19 +387,20 @@
 			fatal("Predecessor has incompatible format "
 			      "version %d.%d\n\t", major, minor);
 
-		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no activation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");
 
-		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
+		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
+					 &previnact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no inactivation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");
 
-		pub = act - prepub;
+		pub = prevact - prepub;
 		if (pub < now && prepub != 0)
 			fatal("Predecessor will become inactive before the\n\t"
 			      "prepublication period ends.  Either change "
@@ -408,13 +408,18 @@
 			      "or use the -i option to set a shorter "
 			      "prepublication interval.");
 
-		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
 		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "%s: WARNING: Predecessor has no "
+			fprintf(stderr, "%s: warning: Predecessor has no "
 					"removal date;\n\t"
 					"it will remain in the zone "
 					"indefinitely after rollover.\n",
 					program);
+		else if (prevdel < previnact)
+			fprintf(stderr, "%s: warning: Predecessor is "
+					"scheduled to be deleted\n\t"
+					"before it is scheduled to be "
+					"inactive.\n", program);
 
 		changed = setpub = setact = ISC_TRUE;
 		dst_key_free(&prevkey);
@@ -476,6 +481,20 @@
 			fatal("Key flags mismatch");
 	}
 
+	prevdel = previnact = 0;
+	if ((setdel && setinact && del < inact) ||
+	    (dst_key_gettime(key, DST_TIME_INACTIVE,
+			     &previnact) == ISC_R_SUCCESS &&
+	     setdel && !setinact && del < previnact) ||
+	    (dst_key_gettime(key, DST_TIME_DELETE,
+			     &prevdel) == ISC_R_SUCCESS &&
+	     setinact && !setdel && prevdel < inact) ||
+	    (!setdel && !setinact && prevdel < previnact))
+		fprintf(stderr, "%s: warning: Key is scheduled to "
+				"be deleted before it is\n\t"
+				"scheduled to be inactive.\n",
+			program);
+
 	if (force)
 		set_keyversion(key);
 	else
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.8 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.9 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -722,6 +722,8 @@
 	if (l->entries == l->size) {
 		l->size = l->size * 2 + 100;
 		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+		if (l->hashbuf == NULL)
+			fatal("unable to grow hashlist: out of memory");
 	}
 	memset(l->hashbuf + l->entries * l->length, 0, l->length);
 	memcpy(l->hashbuf + l->entries * l->length, hash, len);
@@ -1604,7 +1606,9 @@
  * Remove records of the given type and their signatures.
  */
 static void
-remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which,
+	       isc_boolean_t checknsec)
+{
 	isc_result_t result;
 	dns_rdatatype_t type, covers;
 	dns_rdatasetiter_t *rdsiter = NULL;
@@ -1625,10 +1629,12 @@
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == which || covers == which) {
-			if (which == dns_rdatatype_nsec && !update_chain)
+			if (which == dns_rdatatype_nsec &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC records.  Use -u "
 				      "to update to NSEC3.");
-			if (which == dns_rdatatype_nsec3param && !update_chain)
+			if (which == dns_rdatatype_nsec3param &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC3 chains.  Use -u "
 				      "to update to NSEC.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
@@ -1640,6 +1646,39 @@
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
+/*
+ * Remove signatures covering the given type (0 == all signatures).
+ */
+static void
+remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		if (type == dns_rdatatype_rrsig &&
+		    (covers == which || which == 0))
+		{
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
 /*%
  * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
  */
@@ -1716,14 +1755,17 @@
 		}
 
 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec3param);
+			remove_records(node, dns_rdatatype_nsec3param,
+				       ISC_TRUE);
 
 		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
+			remove_sigs(node, 0);
 			if (generateds)
 				add_ds(name, node, nsttl);
 		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@@ -1741,6 +1783,9 @@
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
 			{
+				remove_sigs(nextnode, 0);
+				remove_records(nextnode, dns_rdatatype_nsec,
+					       ISC_FALSE);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@@ -2132,7 +2177,7 @@
 		}
 
 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec);
+			remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
 
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
@@ -2149,6 +2194,7 @@
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut))) {
+				remove_sigs(nextnode, 0);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@@ -2158,6 +2204,7 @@
 			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
+				remove_sigs(nextnode, 0);
 				if (generateds)
 					add_ds(nextname, nextnode, nsttl);
 				if (OPTOUT(nsec3flags) &&
@@ -2284,7 +2331,7 @@
 				continue;
 			}
 			if (is_delegation(gdb, gversion, gorigin,
-							  nextname, nextnode, NULL))
+					  nextname, nextnode, NULL))
 			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
@@ -2592,7 +2639,7 @@
 	dns_rdata_nsec3_t nsec3;
 	dns_fixedname_t fname;
 	dns_name_t *hashname;
-	unsigned char orig_salt[256];
+	unsigned char orig_salt[255];
 	size_t orig_saltlen;
 	dns_hash_t orig_hash;
 	isc_uint16_t orig_iter;
@@ -3438,23 +3485,6 @@
 	else
 		set_nsec3params(update_chain, set_salt, set_optout, set_iter);
 
-	if (IS_NSEC3) {
-		isc_boolean_t answer;
-		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
-		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
-			      hash_length);
-		result = dns_nsec_nseconly(gdb, gversion, &answer);
-		if (result == ISC_R_NOTFOUND)
-			fprintf(stderr, "%s: warning: NSEC3 generation "
-				"requested with no DNSKEY; ignoring\n",
-				program);
-		else if (result != ISC_R_SUCCESS)
-			check_result(result, "dns_nsec_nseconly");
-		else if (answer)
-			fatal("NSEC3 generation requested with "
-			      "NSEC-only DNSKEY");
-	}
-
 	/*
 	 * We need to do this early on, as we start messing with the list
 	 * of keys rather early.
@@ -3507,6 +3537,22 @@
 
 	if (IS_NSEC3) {
 		unsigned int max;
+		isc_boolean_t answer;
+
+		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
+		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
+			      hash_length);
+		result = dns_nsec_nseconly(gdb, gversion, &answer);
+		if (result == ISC_R_NOTFOUND)
+			fprintf(stderr, "%s: warning: NSEC3 generation "
+				"requested with no DNSKEY; ignoring\n",
+				program);
+		else if (result != ISC_R_SUCCESS)
+			check_result(result, "dns_nsec_nseconly");
+		else if (answer)
+			fatal("NSEC3 generation requested with "
+			      "NSEC-only DNSKEY");
+
 		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
 		check_result(result, "dns_nsec3_maxiterations()");
 		if (nsec3iter > max)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-verify.c,v 1.4 2013/07/01 21:59:20 joerg Exp $	*/
+/*	$NetBSD: dnssec-verify.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
  * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
@@ -286,6 +286,9 @@
 	argc -= 1;
 	argv += 1;
 
+	POST(argc);
+	POST(argv);
+
 	if (origin == NULL)
 		origin = file;
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.c,v 1.4 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: dnssectool.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -522,14 +522,16 @@
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 
-	dns_rdata_tostruct(sigrdata, &sig, NULL);
+	result = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	check_result(result, "dns_rdata_tostruct()");
 
 	for (result = dns_rdataset_first(keyrdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(keyrdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 		dns_rdataset_current(keyrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &key, NULL);
+		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		result = dns_dnssec_keyfromrdata(origin, &rdata, mctx,
 						 &dstkey);
 		if (result != ISC_R_SUCCESS)
@@ -583,7 +585,7 @@
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		dns_name_format(nextname, nextbuf, sizeof(nextbuf));
 		dns_name_format(&nsec.next, found, sizeof(found));
-		fprintf(stderr, "Bad record NSEC record for %s, next name "
+		fprintf(stderr, "Bad NSEC record for %s, next name "
 				"mismatch (expected:%s, found:%s)\n", namebuf,
 				nextbuf, found);
 		goto failure;
@@ -594,7 +596,7 @@
 	check_result(result, "dns_nsec_buildrdata()");
 	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad record NSEC record for %s, bit map "
+		fprintf(stderr, "Bad NSEC record for %s, bit map "
 				"mismatch\n", namebuf);
 		goto failure;
 	}
@@ -770,7 +772,7 @@
 	len = dns_nsec_compressbitmap(cbm, types, maxtype);
 	if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad record NSEC3 record for %s, bit map "
+		fprintf(stderr, "Bad NSEC3 record for %s, bit map "
 				"mismatch\n", namebuf);
 		return (ISC_R_FAILURE);
 	}
@@ -823,6 +825,7 @@
 
 		dns_rdataset_current(nsec3paramset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		if (nsec3param.flags == 0 &&
 		    nsec3param.hash == nsec3->hash &&
 		    nsec3param.iterations == nsec3->iterations &&
@@ -890,11 +893,64 @@
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+isoptout(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	 dns_rdata_t *nsec3rdata)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_fixedname_t fixed;
+	dns_name_t *hashname;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
+	size_t rhsize = sizeof(rawhash);
+	isc_boolean_t ret;
+
+	result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
+	check_result(result, "dns_rdata_tostruct()");
+
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, origin, origin,
+				    nsec3param.hash, nsec3param.iterations,
+				    nsec3param.salt, nsec3param.salt_length);
+	check_result(result, "dns_nsec3_hashname()");
+
+	dns_rdataset_init(&rdataset);
+	hashname = dns_fixedname_name(&fixed);
+	result = dns_db_findnsec3node(db, hashname, ISC_FALSE, &node);
+	if (result == ISC_R_SUCCESS)
+		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+					     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first()");
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	if (result != ISC_R_SUCCESS)
+		ret = ISC_FALSE;
+	else
+		ret = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (ret);
+}
+
 static isc_result_t
 verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	    isc_mem_t *mctx, dns_name_t *name, dns_rdata_t *rdata,
-	    isc_boolean_t delegation, unsigned char types[8192],
-	    unsigned int maxtype)
+	    isc_boolean_t delegation, isc_boolean_t empty,
+	    unsigned char types[8192], unsigned int maxtype)
 {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char hashbuf[DNS_NAME_FORMATSIZE];
@@ -906,6 +962,7 @@
 	dns_dbnode_t *node = NULL;
 	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
 	size_t rhsize = sizeof(rawhash);
+	isc_boolean_t optout;
 
 	result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
 	check_result(result, "dns_rdata_tostruct()");
@@ -916,6 +973,8 @@
 	if (!dns_nsec3_supportedhash(nsec3param.hash))
 		return (ISC_R_SUCCESS);
 
+	optout = isoptout(db, ver, origin, rdata);
+
 	dns_fixedname_init(&fixed);
 	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, name, origin,
 				    nsec3param.hash, nsec3param.iterations,
@@ -935,16 +994,22 @@
 		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
 					     0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS &&
-	    (!delegation || dns_nsec_isset(types, dns_rdatatype_ds))) {
+	    (!delegation || (empty && !optout) ||
+	     (!empty && dns_nsec_isset(types, dns_rdatatype_ds))))
+	{
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		dns_name_format(hashname, hashbuf, sizeof(hashbuf));
 		fprintf(stderr, "Missing NSEC3 record for %s (%s)\n",
 			namebuf, hashbuf);
+	} else if (result == ISC_R_NOTFOUND &&
+		   delegation && (!empty || optout))
+	{
+		result = ISC_R_SUCCESS;
 	} else if (result == ISC_R_SUCCESS) {
 		result = match_nsec3(name, mctx, &nsec3param, &rdataset,
 				     types, maxtype, rawhash, rhsize);
-	} else if (result == ISC_R_NOTFOUND && delegation)
-		result = ISC_R_SUCCESS;
+	}
+
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	if (node != NULL)
@@ -956,8 +1021,8 @@
 static isc_result_t
 verifynsec3s(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	     isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *nsec3paramset,
-	     isc_boolean_t delegation, unsigned char types[8192],
-	     unsigned int maxtype)
+	     isc_boolean_t delegation, isc_boolean_t empty,
+	     unsigned char types[8192], unsigned int maxtype)
 {
 	isc_result_t result;
 
@@ -968,7 +1033,7 @@
 
 		dns_rdataset_current(nsec3paramset, &rdata);
 		result = verifynsec3(db, ver, origin, mctx, name, &rdata,
-				     delegation, types, maxtype);
+				     delegation, empty, types, maxtype);
 		if (result != ISC_R_SUCCESS)
 			break;
 	}
@@ -1023,7 +1088,8 @@
 		dns_rdata_rrsig_t sig;
 
 		dns_rdataset_current(&sigrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &sig, NULL);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		if (rdataset->ttl != sig.originalttl) {
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			type_format(rdataset->type, typebuf, sizeof(typebuf));
@@ -1112,8 +1178,8 @@
 
 	if (nsec3paramset != NULL && dns_rdataset_isassociated(nsec3paramset)) {
 		tresult = verifynsec3s(db, ver, origin, mctx, name,
-				       nsec3paramset, delegation, types,
-				       maxtype);
+				       nsec3paramset, delegation, ISC_FALSE,
+				       types, maxtype);
 		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
@@ -1302,8 +1368,8 @@
 
 static isc_result_t
 verifyemptynodes(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *nextname,
-		 dns_rdataset_t *nsec3paramset)
+		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *prevname,
+		 isc_boolean_t isdelegation, dns_rdataset_t *nsec3paramset)
 {
 	dns_namereln_t reln;
 	int order;
@@ -1311,23 +1377,24 @@
 	dns_name_t suffix;
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 
-	reln = dns_name_fullcompare(name, nextname, &order, &labels);
+	reln = dns_name_fullcompare(prevname, name, &order, &labels);
 	if (order >= 0)
 		return (result);
 
-	nlabels = dns_name_countlabels(nextname);
+	nlabels = dns_name_countlabels(name);
 
 	if (reln == dns_namereln_commonancestor ||
 	    reln == dns_namereln_contains) {
 		dns_name_init(&suffix, NULL);
 		for (i = labels + 1; i < nlabels; i++) {
-			dns_name_getlabelsequence(nextname, nlabels - i, i,
+			dns_name_getlabelsequence(name, nlabels - i, i,
 						  &suffix);
 			if (nsec3paramset != NULL &&
 			     dns_rdataset_isassociated(nsec3paramset)) {
 				tresult = verifynsec3s(db, ver, origin, mctx,
 						       &suffix, nsec3paramset,
-						       ISC_FALSE, NULL, 0);
+						       isdelegation, ISC_TRUE,
+						       NULL, 0);
 				if (result == ISC_R_SUCCESS &&
 				    tresult != ISC_R_SUCCESS)
 					result = tresult;
@@ -1357,8 +1424,8 @@
 	char algbuf[80];
 	dns_dbiterator_t *dbiter = NULL;
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
+	dns_fixedname_t fname, fnextname, fprevname, fzonecut;
+	dns_name_t *name, *nextname, *prevname, *zonecut;
 	dns_rdata_dnskey_t dnskey;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t keyset, soaset;
@@ -1570,6 +1637,8 @@
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
 	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fprevname);
+	prevname = NULL;
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
@@ -1636,8 +1705,13 @@
 			vresult = ISC_R_SUCCESS;
 		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
 			vresult = result;
-		result = verifyemptynodes(db, ver, origin, mctx, name,
-					  nextname, &nsec3paramset);
+		if (prevname != NULL) {
+			result = verifyemptynodes(db, ver, origin, mctx, name,
+						  prevname, isdelegation,
+						  &nsec3paramset);
+		} else
+			prevname = dns_fixedname_name(&fprevname);
+		dns_name_copy(name, prevname, NULL);
 		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
 			vresult = result;
 		dns_db_detachnode(db, &node);
--- a/external/bsd/bind/dist/bin/named/client.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.6 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: client.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -1397,9 +1397,9 @@
 
 	INSIST(client->recursionquota == NULL);
 
-	INSIST(client->state == TCP_CLIENT(client) ?
+	INSIST(client->state == (TCP_CLIENT(client) ?
 				       NS_CLIENTSTATE_READING :
-				       NS_CLIENTSTATE_READY);
+				       NS_CLIENTSTATE_READY));
 
 	ns_client_requests++;
 
@@ -2418,6 +2418,9 @@
 
 	CTRACE("replace");
 
+	REQUIRE(client != NULL);
+	REQUIRE(client->manager != NULL);
+
 	result = get_client(client->manager, client->interface,
 			    client->dispatch, TCP_CLIENT(client));
 	if (result != ISC_R_SUCCESS)
@@ -2509,10 +2512,10 @@
 	return (ISC_R_SUCCESS);
 
  cleanup_listlock:
-	isc_mutex_destroy(&manager->listlock);
+	(void) isc_mutex_destroy(&manager->listlock);
 
  cleanup_lock:
-	isc_mutex_destroy(&manager->lock);
+	(void) isc_mutex_destroy(&manager->lock);
 
  cleanup_manager:
 	isc_mem_put(manager->mctx, manager, sizeof(*manager));
@@ -2570,7 +2573,9 @@
 	ns_client_t *client;
 	MTRACE("get client");
 
-	if (manager != NULL && manager->exiting)
+	REQUIRE(manager != NULL);
+
+	if (manager->exiting)
 		return (ISC_R_SHUTTINGDOWN);
 
 	/*
--- a/external/bsd/bind/dist/bin/named/config.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/config.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: config.c,v 1.6 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: config.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -153,6 +153,7 @@
 	check-names response ignore;\n\
 	check-dup-records warn;\n\
 	check-mx warn;\n\
+	check-spf warn;\n\
 	acache-enable no;\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 16M;\n\
@@ -203,7 +204,7 @@
 	sig-signing-signatures 10;\n\
 	sig-signing-type 65534;\n\
 	inline-signing no;\n\
-	zone-statistics false;\n\
+	zone-statistics terse;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
 	check-wildcard yes;\n\
@@ -650,17 +651,16 @@
 		if (isc_sockaddr_getport(&addrs[i]) == 0)
 			isc_sockaddr_setport(&addrs[i], port);
 		keys[i] = NULL;
-		if (!cfg_obj_isstring(key)) {
-			i++;
+		i++;	/* Increment here so that cleanup on error works. */
+		if (!cfg_obj_isstring(key))
 			continue;
-		}
-		keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (keys[i] == NULL)
+		keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (keys[i - 1] == NULL)
 			goto cleanup;
-		dns_name_init(keys[i], NULL);
+		dns_name_init(keys[i - 1], NULL);
 
 		keystr = cfg_obj_asstring(key);
-		isc_buffer_init(&b, keystr, strlen(keystr));
+		isc_buffer_constinit(&b, keystr, strlen(keystr));
 		isc_buffer_add(&b, strlen(keystr));
 		dns_fixedname_init(&fname);
 		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
@@ -668,10 +668,9 @@
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
-				      keys[i]);
+				      keys[i - 1]);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		i++;
 	}
 	if (pushed != 0) {
 		pushed--;
@@ -727,7 +726,7 @@
 	if (addrs != NULL)
 		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
 	if (keys != NULL) {
-		for (j = 0; j <= i; j++) {
+		for (j = 0; j < i; j++) {
 			if (keys[j] == NULL)
 				continue;
 			if (dns_name_dynamic(keys[j]))
--- a/external/bsd/bind/dist/bin/named/control.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/control.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: control.c,v 1.4 2012/06/05 00:38:59 christos Exp $	*/
+/*	$NetBSD: control.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
@@ -63,7 +63,7 @@
 isc_result_t
 ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
-	char *command;
+	char *command = NULL;
 	isc_result_t result;
 	int log_level;
 #ifdef HAVE_LIBSCF
--- a/external/bsd/bind/dist/bin/named/controlconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/controlconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: controlconf.c,v 1.5 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: controlconf.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -151,7 +151,7 @@
 	if (listener->acl != NULL)
 		dns_acl_detach(&listener->acl);
 
-	isc_mem_put(listener->mctx, listener, sizeof(*listener));
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
 }
 
 static void
@@ -1068,8 +1068,9 @@
 		result = ISC_R_NOMEMORY;
 
 	if (result == ISC_R_SUCCESS) {
+		listener->mctx = NULL;
+		isc_mem_attach(mctx, &listener->mctx);
 		listener->controls = cp;
-		listener->mctx = mctx;
 		listener->task = cp->server->task;
 		listener->address = *addr;
 		listener->sock = NULL;
--- a/external/bsd/bind/dist/bin/named/include/named/client.h	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/client.h	Sat Jul 27 19:23:09 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.h,v 1.3 2012/06/05 00:39:07 christos Exp $	*/
+/*	$NetBSD: client.h,v 1.4 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@@ -169,16 +169,17 @@
 #define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
 #define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
 
-#define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recursive service */
-#define NS_CLIENTATTR_PKTINFO		0x04 /*%< pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
-#define NS_CLIENTATTR_WANTNSID          0x20 /*%< include nameserver ID */
+#define NS_CLIENTATTR_TCP		0x001
+#define NS_CLIENTATTR_RA		0x002 /*%< Client gets recursive service */
+#define NS_CLIENTATTR_PKTINFO		0x004 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x008 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x010 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID          0x020 /*%< include nameserver ID */
 #ifdef ALLOW_FILTER_AAAA_ON_V4
-#define NS_CLIENTATTR_FILTER_AAAA	0x40 /*%< suppress AAAAs */
-#define NS_CLIENTATTR_FILTER_AAAA_RC	0x80 /*%< recursing for A against AAAA */
+#define NS_CLIENTATTR_FILTER_AAAA	0x040 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC	0x080 /*%< recursing for A against AAAA */
 #endif
+#define NS_CLIENTATTR_WANTAD		0x100 /*%< want AD in response if possible */
 
 extern unsigned int ns_client_requests;
 
--- a/external/bsd/bind/dist/bin/named/include/named/globals.h	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/globals.h	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: globals.h,v 1.4 2012/06/05 00:39:08 christos Exp $	*/
+/*	$NetBSD: globals.h,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -69,6 +69,9 @@
 EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
 EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
 EXTERN const char *		ns_g_version		INIT(VERSION);
+EXTERN const char *		ns_g_product		INIT(PRODUCT);
+EXTERN const char *		ns_g_description	INIT(DESCRIPTION);
+EXTERN const char *		ns_g_srcid		INIT(SRCID);
 EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
 EXTERN in_port_t		ns_g_port		INIT(0);
 EXTERN in_port_t		lwresd_g_listenport	INIT(0);
@@ -123,6 +126,7 @@
 EXTERN const char *		ns_g_chrootdir		INIT(NULL);
 EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_nosyslog		INIT(ISC_FALSE);
 
 EXTERN const char *		ns_g_defaultsessionkeyfile
 					INIT(NS_LOCALSTATEDIR "/run/named/"
@@ -156,6 +160,7 @@
 EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_nosoa		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_noaa		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_nonearest		INIT(ISC_FALSE);
 
 #undef EXTERN
 #undef INIT
--- a/external/bsd/bind/dist/bin/named/include/named/server.h	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/server.h	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: server.h,v 1.4 2012/06/05 00:39:10 christos Exp $	*/
+/*	$NetBSD: server.h,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -167,7 +167,9 @@
 	dns_nsstatscounter_updatefail = 34,
 	dns_nsstatscounter_updatebadprereq = 35,
 
-	dns_nsstatscounter_max = 36
+	dns_nsstatscounter_rpz_rewrites = 36,
+
+	dns_nsstatscounter_max = 37
 };
 
 void
--- a/external/bsd/bind/dist/bin/named/interfacemgr.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/interfacemgr.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: interfacemgr.c,v 1.4 2012/06/05 00:38:59 christos Exp $	*/
+/*	$NetBSD: interfacemgr.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -82,11 +82,13 @@
 	if (mgr == NULL)
 		return (ISC_R_NOMEMORY);
 
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
 
-	mgr->mctx = mctx;
 	mgr->taskmgr = taskmgr;
 	mgr->socketmgr = socketmgr;
 	mgr->dispatchmgr = dispatchmgr;
@@ -118,7 +120,7 @@
 	ns_listenlist_detach(&mgr->listenon4);
 	ns_listenlist_detach(&mgr->listenon6);
  cleanup_mem:
-	isc_mem_put(mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 	return (result);
 }
 
@@ -131,7 +133,7 @@
 	clearlistenon(mgr);
 	DESTROYLOCK(&mgr->lock);
 	mgr->magic = 0;
-	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 }
 
 dns_aclenv_t *
@@ -428,7 +430,7 @@
 
 	ns_interface_shutdown(ifp);
 
-	for (disp = ifp->nudpdispatch; disp >= 0; disp--)
+	for (disp = 0; disp < ifp->nudpdispatch; disp++)
 		if (ifp->udpdispatch[disp] != NULL) {
 			dns_dispatch_changeattributes(ifp->udpdispatch[disp], 0,
 						    DNS_DISPATCHATTR_NOLISTEN);
--- a/external/bsd/bind/dist/bin/named/log.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/log.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: log.c,v 1.3 2012/06/05 00:39:00 christos Exp $	*/
+/*	$NetBSD: log.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -203,7 +203,7 @@
 ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
 	isc_result_t result;
 
-	if (! ns_g_logstderr) {
+	if (! ns_g_logstderr && ! ns_g_nosyslog) {
 		result = isc_log_usechannel(lcfg, "default_syslog",
 					    ISC_LOGCATEGORY_DEFAULT, NULL);
 		if (result != ISC_R_SUCCESS)
--- a/external/bsd/bind/dist/bin/named/logconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/logconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: logconf.c,v 1.4 2012/06/05 00:39:00 christos Exp $	*/
+/*	$NetBSD: logconf.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -248,14 +248,16 @@
 					isc_result_totext(result));
 			} else
 				(void)isc_stdio_close(fp);
-		} else {
+			goto done;
+		}
+		if (!ns_g_nosyslog)
 			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
-				dest.file.name, isc_result_totext(result));
-			fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
-				dest.file.name, isc_result_totext(result));
-		}
+			       dest.file.name, isc_result_totext(result));
+		fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
+			dest.file.name, isc_result_totext(result));
 	}
 
+ done:
 	return (result);
 }
 
--- a/external/bsd/bind/dist/bin/named/lwresd.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/lwresd.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: lwresd.c,v 1.3 2012/06/05 00:39:01 christos Exp $	*/
+/*	$NetBSD: lwresd.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -370,7 +370,7 @@
 
 			dns_fixedname_init(&fname);
 			name = dns_fixedname_name(&fname);
-			isc_buffer_init(&namebuf, searchstr,
+			isc_buffer_constinit(&namebuf, searchstr,
 					strlen(searchstr));
 			isc_buffer_add(&namebuf, strlen(searchstr));
 			result = dns_name_fromtext(name, &namebuf,
--- a/external/bsd/bind/dist/bin/named/main.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: main.c,v 1.10 2013/03/24 18:44:39 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.11 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -525,6 +525,10 @@
 				maxudp = 512;
 			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
 				maxudp = 1460;
+			else if (!strcmp(isc_commandline_argument, "nosyslog"))
+				ns_g_nosyslog = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "nonearest"))
+				ns_g_nonearest = ISC_TRUE;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
@@ -538,10 +542,16 @@
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
-			printf("BIND %s\n", ns_g_version);
+			printf("%s %s", ns_g_product, ns_g_version);
+			if (*ns_g_description != 0)
+				printf(" %s", ns_g_description);
+			printf("\n");
 			exit(0);
 		case 'V':
-			printf("BIND %s built with %s\n", ns_g_version,
+			printf("%s %s", ns_g_product, ns_g_version);
+			if (*ns_g_description != 0)
+				printf(" %s", ns_g_description);
+			printf(" <id:%s> built with %s\n", ns_g_srcid,
 				ns_g_configargs);
 #ifdef OPENSSL
 			printf("using OpenSSL version: %s\n",
@@ -595,7 +605,9 @@
 #ifdef WIN32
 	ns_g_udpdisp = 1;
 #else
-	if (ns_g_udpdisp == 0 || ns_g_udpdisp > ns_g_cpus)
+	if (ns_g_udpdisp == 0)
+		ns_g_udpdisp = ns_g_cpus_detected;
+	if (ns_g_udpdisp > ns_g_cpus)
 		ns_g_udpdisp = ns_g_cpus;
 #endif
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
@@ -804,8 +816,8 @@
 				   isc_result_totext(result));
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
-		      saved_command_line);
+		      ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
+		      ns_g_version, saved_command_line);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
@@ -1051,9 +1063,9 @@
 	 */
 	strlcat(version,
 #if defined(NO_VERSION_DATE) || !defined(__DATE__)
-		"named version: BIND " VERSION,
+		"named version: BIND " VERSION " <" SRCID ">",
 #else
-		"named version: BIND " VERSION " (" __DATE__ ")",
+		"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
 #endif
 		sizeof(version));
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));
--- a/external/bsd/bind/dist/bin/named/named.8	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/named.8	Sat Jul 27 19:23:09 2013 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named.8,v 1.3 2012/06/05 00:39:02 christos Exp $
+.\"	$NetBSD: named.8,v 1.4 2013/07/27 19:23:10 christos Exp $
 .\"
-.\" Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -176,9 +176,11 @@
 \fI#listeners\fR
 worker threads to listen for incoming UDP packets on each address. If not specified,
 \fBnamed\fR
-will use all of the worker threads for this purpose; the
+will use the number of detected CPUs. If
+\fB\-n\fR
+has been set to a higher value than the number of CPUs, then
 \fB\-U\fR
-option allows the number to be decreased but not increased.
+may be increased as high as that value, but no higher.
 .RE
 .PP
 \-u \fIuser\fR
@@ -280,7 +282,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/named.conf.5	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.5	Sat Jul 27 19:23:09 2013 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: named.conf.5,v 1.8 2012/06/05 00:39:02 christos Exp $
+.\"	$NetBSD: named.conf.5,v 1.9 2013/07/27 19:23:10 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -598,5 +598,5 @@
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/named/named.conf.docbook	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.docbook	Sat Jul 27 19:23:09 2013 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -44,6 +44,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2011</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
--- a/external/bsd/bind/dist/bin/named/named.conf.html	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/named.conf.html	Sat Jul 27 19:23:09 2013 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543354"></a><h2>DESCRIPTION</h2>
+<a name="id2543357"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">named.conf</code> is the configuration file
       for
       <span><strong class="command">named</strong></span>.  Statements are enclosed
@@ -50,14 +50,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543382"></a><h2>ACL</h2>
+<a name="id2543385"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543398"></a><h2>KEY</h2>
+<a name="id2543401"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543417"></a><h2>MASTERS</h2>
+<a name="id2543420"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,7 +75,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543463"></a><h2>SERVER</h2>
+<a name="id2543466"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@@ -97,7 +97,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543531"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543534"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -105,7 +105,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543557"></a><h2>MANAGED-KEYS</h2>
+<a name="id2543560"></a><h2>MANAGED-KEYS</h2>
 <div class="literallayout"><p><br>
 managed-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -113,7 +113,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543586"></a><h2>CONTROLS</h2>
+<a name="id2543589"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -125,7 +125,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543621"></a><h2>LOGGING</h2>
+<a name="id2543624"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -143,7 +143,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543659"></a><h2>LWRES</h2>
+<a name="id2543662"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -156,7 +156,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543701"></a><h2>OPTIONS</h2>
+<a name="id2543704"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -361,7 +361,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544582"></a><h2>VIEW</h2>
+<a name="id2544585"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -525,7 +525,7 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545298"></a><h2>ZONE</h2>
+<a name="id2545301"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint | redirect |<br>
@@ -622,12 +622,12 @@
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545687"></a><h2>FILES</h2>
+<a name="id2545690"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545699"></a><h2>SEE ALSO</h2>
+<a name="id2545702"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
--- a/external/bsd/bind/dist/bin/named/query.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: query.c,v 1.10 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: query.c,v 1.11 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -96,6 +96,10 @@
 /*% Want DNSSEC? */
 #define WANTDNSSEC(c)		(((c)->attributes & \
 				  NS_CLIENTATTR_WANTDNSSEC) != 0)
+/*% Want WANTAD? */
+#define WANTAD(c)		(((c)->attributes & \
+				  NS_CLIENTATTR_WANTAD) != 0)
+
 /*% No authority? */
 #define NOAUTHORITY(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOAUTHORITY) != 0)
@@ -170,39 +174,66 @@
 static inline void
 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
 	dns_zone_t *zone = client->query.authzone;
+	isc_stats_t *zonestats;
+#ifdef NEWSTATS
+	dns_rdatatype_t qtype;
+	dns_rdataset_t *rdataset;
+	dns_stats_t *querystats = NULL;
+#endif
 
 	isc_stats_increment(ns_g_server->nsstats, counter);
 
-	if (zone != NULL) {
-		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL)
-			isc_stats_increment(zonestats, counter);
-	}
+	if (zone == NULL)
+		return;
+
+	/* Do regular response type stats */
+	zonestats = dns_zone_getrequeststats(zone);
+
+	if (zonestats != NULL)
+		isc_stats_increment(zonestats, counter);
+
+#ifdef NEWSTATS
+	/* Do query type statistics
+	 *
+	 * We only increment per-type if we're using the authoriative
+	 * answer counter, preventing double-counting.
+	 */
+	if (counter == dns_nsstatscounter_authans) {
+		querystats = dns_zone_getrcvquerystats(zone);
+		if (querystats != NULL) {
+			rdataset = ISC_LIST_HEAD(client->query.qname->list);
+			if (rdataset != NULL) {
+				qtype = rdataset->type;
+				dns_rdatatypestats_increment(querystats, qtype);
+			}
+		}
+	}
+#endif
 }
 
 static void
 query_send(ns_client_t *client) {
 	isc_statscounter_t counter;
+
 	if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
 		inc_stats(client, dns_nsstatscounter_nonauthans);
 	else
 		inc_stats(client, dns_nsstatscounter_authans);
+
 	if (client->message->rcode == dns_rcode_noerror) {
-		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
-			if (client->query.isreferral) {
+		dns_section_t answer = DNS_SECTION_ANSWER;
+		if (ISC_LIST_EMPTY(client->message->sections[answer])) {
+			if (client->query.isreferral)
 				counter = dns_nsstatscounter_referral;
-			} else {
+			else
 				counter = dns_nsstatscounter_nxrrset;
-			}
-		} else {
+		} else
 			counter = dns_nsstatscounter_success;
-		}
-	} else if (client->message->rcode == dns_rcode_nxdomain) {
+	} else if (client->message->rcode == dns_rcode_nxdomain)
 		counter = dns_nsstatscounter_nxdomain;
-	} else {
-		/* We end up here in case of YXDOMAIN, and maybe others */
+	else /* We end up here in case of YXDOMAIN, and maybe others */
 		counter = dns_nsstatscounter_failure;
-	}
+
 	inc_stats(client, counter);
 	ns_client_send(client);
 }
@@ -653,7 +684,7 @@
 		     dns_dbversion_t **versionp)
 {
 	isc_result_t result;
-	dns_acl_t *queryacl;
+	dns_acl_t *queryacl, *queryonacl;
 	ns_dbversion_t *dbversion;
 
 	REQUIRE(zone != NULL);
@@ -765,6 +796,21 @@
 		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
 	}
 
+	/* If and only if we've gotten this far, check allow-query-on too */
+	if (result == ISC_R_SUCCESS) {
+		queryonacl = dns_zone_getqueryonacl(zone);
+		if (queryonacl == NULL)
+			queryonacl = client->view->queryonacl;
+
+		result = ns_client_checkaclsilent(client, NULL,
+						  queryonacl, ISC_TRUE);
+		if ((options & DNS_GETDB_NOLOG) == 0 &&
+		    result != ISC_R_SUCCESS)
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "query-on denied");
+	}
+
 	dbversion->acl_checked = ISC_TRUE;
 	if (result != ISC_R_SUCCESS) {
 		dbversion->queryok = ISC_FALSE;
@@ -833,12 +879,29 @@
 }
 
 static void
-rpz_log_rewrite(ns_client_t *client, const char *disabled,
+rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
 		dns_rpz_policy_t policy, dns_rpz_type_t type,
-		dns_name_t *rpz_qname) {
+		dns_zone_t *zone, dns_name_t *rpz_qname)
+{
+	isc_stats_t *zonestats;
 	char qname_buf[DNS_NAME_FORMATSIZE];
 	char rpz_qname_buf[DNS_NAME_FORMATSIZE];
 
+	/*
+	 * Count enabled rewrites in the global counter.
+	 * Count both enabled and disabled rewrites for each zone.
+	 */
+	if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_rpz_rewrites);
+	}
+	if (zone != NULL) {
+		zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL)
+			isc_stats_increment(zonestats,
+					    dns_nsstatscounter_rpz_rewrites);
+	}
+
 	if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
 		return;
 
@@ -847,7 +910,7 @@
 
 	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
 		      DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
-		      disabled,
+		      disabled ? "disabled " : "",
 		      dns_rpz_type2str(type), dns_rpz_policy2str(policy),
 		      qname_buf, rpz_qname_buf);
 }
@@ -863,6 +926,9 @@
 	if (!isc_log_wouldlog(ns_g_lctx, level))
 		return;
 
+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+	 */
 	dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
 	dns_name_format(name, namebuf2, sizeof(namebuf2));
 	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
@@ -3114,6 +3180,14 @@
 		goto cleanup;
 
 	/*
+	 * If the answer is secure only add NS records if they are secure		 * when the client may be looking for AD in the response.
+	 */
+	if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
+	    ((rdataset->trust != dns_trust_secure) ||
+	    (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
+		goto cleanup;
+
+	/*
 	 * If the client doesn't want DNSSEC we can discard the sigrdataset
 	 * now.
 	 */
@@ -4079,6 +4153,8 @@
 				rdatasetp, resuming);
 	switch (result) {
 	case ISC_R_SUCCESS:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
 		result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
 		break;
 	case DNS_R_EMPTYNAME:
@@ -4174,6 +4250,8 @@
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
+	REQUIRE(nodep != NULL);
+
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client);
 
@@ -4261,26 +4339,32 @@
 				result = DNS_R_CNAME;
 		}
 		break;
+	case DNS_R_NXRRSET:
+		policy = DNS_RPZ_POLICY_NODATA;
+		break;
 	case DNS_R_DNAME:
 		/*
 		 * DNAME policy RRs have very few if any uses that are not
 		 * better served with simple wildcards.  Making the work would
 		 * require complications to get the number of labels matched
 		 * in the name or the found name to the main DNS_R_DNAME case
-		 * in query_find(). So fall through to treat them as NODATA.
+		 * in query_find().
 		 */
-	case DNS_R_NXRRSET:
-		policy = DNS_RPZ_POLICY_NODATA;
-		break;
+		dns_rdataset_disassociate(*rdatasetp);
+		dns_db_detachnode(*dbp, nodep);
+		/*
+		 * Fall through to treat it as a miss.
+		 */
 	case DNS_R_NXDOMAIN:
 	case DNS_R_EMPTYNAME:
 		/*
 		 * If we don't get a qname hit,
 		 * see if it is worth looking for other types.
 		 */
-		dns_db_rpz_enabled(*dbp, client->query.rpz_st);
+		(void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
 		dns_db_detach(dbp);
 		dns_zone_detach(zonep);
+		result = DNS_R_NXDOMAIN;
 		policy = DNS_RPZ_POLICY_MISS;
 		break;
 	default:
@@ -4288,9 +4372,7 @@
 		dns_zone_detach(zonep);
 		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
 			     "", result);
-		policy = DNS_RPZ_POLICY_ERROR;
-		result = DNS_R_SERVFAIL;
-		break;
+		return (DNS_R_SERVFAIL);
 	}
 
 	*policyp = policy;
@@ -4356,6 +4438,9 @@
 			if (result == ISC_R_SUCCESS)
 				break;
 			INSIST(result == DNS_R_NAMETOOLONG);
+			/*
+			 * Trim the name until it is not too long.
+			 */
 			labels = dns_name_countlabels(prefix);
 			if (labels < 2) {
 				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
@@ -4379,7 +4464,6 @@
 				  rdatasetp, &policy);
 		switch (result) {
 		case DNS_R_NXDOMAIN:
-		case DNS_R_EMPTYNAME:
 			break;
 		case DNS_R_SERVFAIL:
 			rpz_clean(&zone, &db, &node, rdatasetp);
@@ -4402,13 +4486,45 @@
 			     (st->m.type == rpz_type &&
 			      0 >= dns_name_compare(rpz_qname, st->qname))))
 				continue;
-
+#if 0
+			/*
+			 * This code would block a customer reported information
+			 * leak of rpz rules by rewriting requests in the
+			 * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
+			 * Without this code, a bad guy could request
+			 * 24.0.3.2.10.rpz-ip. to find the policy rule for
+			 * 10.2.3.0/14.  It is an insignificant leak and this
+			 * code is not worth its cost, because the bad guy
+			 * could publish "evil.com A 10.2.3.4" and request
+			 * evil.com to get the same information.
+			 * Keep code with "#if 0" in case customer demand
+			 * is irresistible.
+			 *
+			 * We have the less frequent case of a triggered
+			 * policy.  Check that we have not trigger on one
+			 * of the pretend RPZ TLDs.
+			 * This test would make it impossible to rewrite
+			 * names in TLDs that start with "rpz-" should
+			 * ICANN ever allow such TLDs.
+			 */
+			labels = dns_name_countlabels(qname);
+			if (labels >= 2) {
+				dns_label_t label;
+
+				dns_name_getlabel(qname, labels-2, &label);
+				if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
+				    strncasecmp((const char *)label.base+1,
+						DNS_RPZ_PREFIX,
+						sizeof(DNS_RPZ_PREFIX)-1) == 0)
+					continue;
+			}
+#endif
 			/*
 			 * Merely log DNS_RPZ_POLICY_DISABLED hits.
 			 */
 			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
-				rpz_log_rewrite(client, "disabled ",
-						policy, rpz_type, rpz_qname);
+				rpz_log_rewrite(client, ISC_TRUE, policy,
+						rpz_type, zone, rpz_qname);
 				continue;
 			}
 
@@ -4539,7 +4655,7 @@
 	rdataset = NULL;
 	if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
 		/*
-		 * Check rules for the query name if this it the first time
+		 * Check rules for the query name if this is the first time
 		 * for the current qname, i.e. we've not been recursing.
 		 * There is a first time for each name in a CNAME chain.
 		 */
@@ -4581,7 +4697,7 @@
 
 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-	while (st->r.label > 1) {
+	while (st->r.label > client->view->rpz_min_ns_labels) {
 		/*
 		 * Get NS rrset for each domain in the current qname.
 		 */
@@ -4712,8 +4828,8 @@
 	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
 		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
 		    result != DNS_R_DELEGATION)
-			rpz_log_rewrite(client, "", st->m.policy, st->m.type,
-					st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+					st->m.type, st->m.zone, st->qname);
 		rpz_match_clear(st);
 	}
 	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
@@ -4728,7 +4844,7 @@
 }
 
 /*
- * See if response policy zone rewriting is allowed a lack of interest
+ * See if response policy zone rewriting is allowed by a lack of interest
  * by the client in DNSSEC or a lack of signatures.
  */
 static isc_boolean_t
@@ -4823,7 +4939,8 @@
 				 fname, dns_trust_authanswer, st->m.ttl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+	rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+			st->m.type, st->m.zone, st->qname);
 	ns_client_qnamereplace(client, fname);
 	/*
 	 * Turn off DNSSEC because the results of a
@@ -5884,9 +6001,10 @@
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
 						DNS_MESSAGEFLAG_AD);
 			query_putrdataset(client, &sigrdataset);
+			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
-			rpz_log_rewrite(client, "", rpz_st->m.policy,
-					rpz_st->m.type, rpz_st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
+					rpz_st->m.type, zone, rpz_st->qname);
 		}
 	}
 
@@ -6262,6 +6380,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -6290,7 +6417,10 @@
 				 * closest provable encloser.
 				 */
 				if (dns_rdataset_isassociated(rdataset) &&
-				    !dns_name_equal(qname, found)) {
+				    !dns_name_equal(qname, found) &&
+				    !(ns_g_nonearest &&
+				      qtype != dns_rdatatype_ds))
+				{
 					unsigned int count;
 					unsigned int skip;
 
@@ -6527,6 +6657,15 @@
 			sigrdataset = NULL;
 			fname = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -7027,6 +7166,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64_exclude = dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -7313,7 +7461,6 @@
 	dns_rdatatype_t qtype;
 	unsigned int saved_extflags = client->extflags;
 	unsigned int saved_flags = client->message->flags;
-	isc_boolean_t want_ad;
 
 	CTRACE("ns_query_start");
 
@@ -7409,6 +7556,7 @@
 	INSIST(rdataset != NULL);
 	qtype = rdataset->type;
 	dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
+
 	if (dns_rdatatype_ismeta(qtype)) {
 		switch (qtype) {
 		case dns_rdatatype_any:
@@ -7475,13 +7623,11 @@
 		client->query.attributes &= ~NS_QUERYATTR_SECURE;
 
 	/*
-	 * Set 'want_ad' if the client has set AD in the query.
+	 * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
 	 * This allows AD to be returned on queries without DO set.
 	 */
 	if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
-		want_ad = ISC_TRUE;
-	else
-		want_ad = ISC_FALSE;
+		client->attributes |= NS_CLIENTATTR_WANTAD;
 
 	/*
 	 * This is an ordinary query.
@@ -7506,7 +7652,7 @@
 	 * Set AD.  We must clear it if we add non-validated data to a
 	 * response.
 	 */
-	if (WANTDNSSEC(client) || want_ad)
+	if (WANTDNSSEC(client) || WANTAD(client))
 		message->flags |= DNS_MESSAGEFLAG_AD;
 
 	qclient = NULL;
--- a/external/bsd/bind/dist/bin/named/server.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/server.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: server.c,v 1.12 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: server.c,v 1.13 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -117,6 +117,10 @@
 #define PATH_MAX 1024
 #endif
 
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 /*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
@@ -164,7 +168,7 @@
  * a cache.  Only effective when a finite max-cache-size is specified.
  * This is currently defined to be 8MB.
  */
-#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608
+#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608U
 
 struct ns_dispatch {
 	isc_sockaddr_t			addr;
@@ -254,6 +258,72 @@
 	"31.172.IN-ADDR.ARPA",
 	"168.192.IN-ADDR.ARPA",
 
+	/* RFC 6598 */
+	"64.100.IN-ADDR.ARPA",
+	"65.100.IN-ADDR.ARPA",
+	"66.100.IN-ADDR.ARPA",
+	"67.100.IN-ADDR.ARPA",
+	"68.100.IN-ADDR.ARPA",
+	"69.100.IN-ADDR.ARPA",
+	"70.100.IN-ADDR.ARPA",
+	"71.100.IN-ADDR.ARPA",
+	"72.100.IN-ADDR.ARPA",
+	"73.100.IN-ADDR.ARPA",
+	"74.100.IN-ADDR.ARPA",
+	"75.100.IN-ADDR.ARPA",
+	"76.100.IN-ADDR.ARPA",
+	"77.100.IN-ADDR.ARPA",
+	"78.100.IN-ADDR.ARPA",
+	"79.100.IN-ADDR.ARPA",
+	"80.100.IN-ADDR.ARPA",
+	"81.100.IN-ADDR.ARPA",
+	"82.100.IN-ADDR.ARPA",
+	"83.100.IN-ADDR.ARPA",
+	"84.100.IN-ADDR.ARPA",
+	"85.100.IN-ADDR.ARPA",
+	"86.100.IN-ADDR.ARPA",
+	"87.100.IN-ADDR.ARPA",
+	"88.100.IN-ADDR.ARPA",
+	"89.100.IN-ADDR.ARPA",
+	"90.100.IN-ADDR.ARPA",
+	"91.100.IN-ADDR.ARPA",
+	"92.100.IN-ADDR.ARPA",
+	"93.100.IN-ADDR.ARPA",
+	"94.100.IN-ADDR.ARPA",
+	"95.100.IN-ADDR.ARPA",
+	"96.100.IN-ADDR.ARPA",
+	"97.100.IN-ADDR.ARPA",
+	"98.100.IN-ADDR.ARPA",
+	"99.100.IN-ADDR.ARPA",
+	"100.100.IN-ADDR.ARPA",
+	"101.100.IN-ADDR.ARPA",
+	"102.100.IN-ADDR.ARPA",
+	"103.100.IN-ADDR.ARPA",
+	"104.100.IN-ADDR.ARPA",
+	"105.100.IN-ADDR.ARPA",
+	"106.100.IN-ADDR.ARPA",
+	"107.100.IN-ADDR.ARPA",
+	"108.100.IN-ADDR.ARPA",
+	"109.100.IN-ADDR.ARPA",
+	"110.100.IN-ADDR.ARPA",
+	"111.100.IN-ADDR.ARPA",
+	"112.100.IN-ADDR.ARPA",
+	"113.100.IN-ADDR.ARPA",
+	"114.100.IN-ADDR.ARPA",
+	"115.100.IN-ADDR.ARPA",
+	"116.100.IN-ADDR.ARPA",
+	"117.100.IN-ADDR.ARPA",
+	"118.100.IN-ADDR.ARPA",
+	"119.100.IN-ADDR.ARPA",
+	"120.100.IN-ADDR.ARPA",
+	"121.100.IN-ADDR.ARPA",
+	"122.100.IN-ADDR.ARPA",
+	"123.100.IN-ADDR.ARPA",
+	"124.100.IN-ADDR.ARPA",
+	"125.100.IN-ADDR.ARPA",
+	"126.100.IN-ADDR.ARPA",
+	"127.100.IN-ADDR.ARPA",
+
 	/* RFC 5735 and RFC 5737 */
 	"0.IN-ADDR.ARPA",	/* THIS NETWORK */
 	"127.IN-ADDR.ARPA",	/* LOOPBACK */
@@ -459,7 +529,7 @@
 	     element = cfg_list_next(element)) {
 		nameobj = cfg_listelt_value(element);
 		str = cfg_obj_asstring(nameobj);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		/*
@@ -576,7 +646,7 @@
 				   keystruct.common.rdtype,
 				   &keystruct, &rrdatabuf));
 	dns_fixedname_init(&fkeyname);
-	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
+	isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&namebuf, strlen(keynamestr));
 	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
 	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
@@ -810,7 +880,17 @@
 	 */
 	obj = NULL;
 	(void)ns_config_get(maps, "managed-keys-directory", &obj);
-	directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
+	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
+	if (directory != NULL)
+		result = isc_file_isdirectory(directory);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "invalid managed-keys-directory %s: %s",
+			      directory, isc_result_totext(result));
+		goto cleanup;
+
+	}
 	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
 
   cleanup:
@@ -836,7 +916,7 @@
 	{
 		obj = cfg_listelt_value(element);
 		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
@@ -989,7 +1069,7 @@
 	else
 		str = "*";
 	addroot = ISC_TF(strcmp(str, "*") == 0);
-	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_constinit(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
 	dns_fixedname_init(&fixed);
 	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
@@ -1175,7 +1255,7 @@
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
 	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
-	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_constinit(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
 	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 
@@ -1227,7 +1307,7 @@
 	{
 		value = cfg_listelt_value(element);
 		str = cfg_obj_asstring(value);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(name, &b, dns_rootname,
 					   0, NULL);
@@ -1270,12 +1350,14 @@
 }
 
 static isc_result_t
-setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
+setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
 	isc_result_t result;
 	isc_stats_t *zoneqrystats;
 
+	dns_zone_setstatlevel(zone, level);
+
 	zoneqrystats = NULL;
-	if (on) {
+	if (level == dns_zonestat_full) {
 		result = isc_stats_create(mctx, &zoneqrystats,
 					  dns_nsstatscounter_max);
 		if (result != ISC_R_SUCCESS)
@@ -1323,7 +1405,7 @@
 cache_sharable(dns_view_t *originview, dns_view_t *view,
 	       isc_boolean_t new_zero_no_soattl,
 	       unsigned int new_cleaning_interval,
-	       isc_uint32_t new_max_cache_size)
+	       isc_uint64_t new_max_cache_size)
 {
 	/*
 	 * If the cache cannot even reused for the same view, it cannot be
@@ -1411,7 +1493,7 @@
 		dns64_dbtype[3] = contact;
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
-	isc_buffer_init(&b, reverse, strlen(reverse));
+	isc_buffer_constinit(&b, reverse, strlen(reverse));
 	isc_buffer_add(&b, strlen(reverse));
 	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 	CHECK(dns_zone_create(&zone, mctx));
@@ -1429,7 +1511,7 @@
 	dns_zone_setdialup(zone, dns_dialuptype_no);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
-	CHECK(setquerystats(zone, mctx, ISC_FALSE));	/* XXXMPA */
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none));	/* XXXMPA */
 	CHECK(dns_view_addzone(view, zone));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
@@ -1442,39 +1524,57 @@
 }
 
 static isc_result_t
+configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		   const char *str, const char *msg)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid %s '%s'", msg, str);
+	return (result);
+}
+
+static isc_result_t
+configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		    const char *str, const dns_name_t *origin)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+	return (result);
+}
+
+static isc_result_t
 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
 {
-	const cfg_obj_t *rpz_obj, *policy_obj, *obj;
+	const cfg_obj_t *rpz_obj, *obj;
 	const char *str;
 	dns_rpz_zone_t *old, *new;
-	dns_zone_t *zone = NULL;
 	isc_result_t result;
 
+	rpz_obj = cfg_listelt_value(element);
+
 	new = isc_mem_get(view->mctx, sizeof(*new));
 	if (new == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "no memory for response policy zones");
+		return (ISC_R_NOMEMORY);
 	}
 
 	memset(new, 0, sizeof(*new));
 	dns_name_init(&new->origin, NULL);
 	dns_name_init(&new->nsdname, NULL);
+	dns_name_init(&new->passthru, NULL);
 	dns_name_init(&new->cname, NULL);
-	dns_name_init(&new->passthru, NULL);
 	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
 
-	rpz_obj = cfg_listelt_value(element);
-	policy_obj = cfg_tuple_get(rpz_obj, "policy");
-	if (cfg_obj_isvoid(policy_obj)) {
-		new->policy = DNS_RPZ_POLICY_GIVEN;
-	} else {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
-						     "policy name"));
-		new->policy = dns_rpz_str2policy(str);
-		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
-	}
-
 	obj = cfg_tuple_get(rpz_obj, "recursive-only");
 	if (cfg_obj_isvoid(obj)) {
 		new->recursive_only = recursive_only_def;
@@ -1492,47 +1592,14 @@
 	}
 
 	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
-	result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
-				     view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
-				      &new->origin, DNS_NAME_DOWNCASE,
-				      view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
-				     DNS_NAME_DOWNCASE, view->mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (dns_name_equal(&new->origin, dns_rootname)) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_view_findzone(view, &new->origin, &zone);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "unknown zone '%s'", str);
-		goto cleanup;
-	}
-	if (dns_zone_gettype(zone) != dns_zone_master &&
-	    dns_zone_gettype(zone) != dns_zone_slave) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			     "zone '%s' is neither master nor slave", str);
-		dns_zone_detach(&zone);
-		result = DNS_R_NOTMASTER;
-		goto cleanup;
-	}
-	dns_zone_detach(&zone);
-
+			    "invalid zone name '%s'", str);
+		return (DNS_R_EMPTYLABEL);
+	}
 	for (old = ISC_LIST_HEAD(view->rpz_zones);
 	     old != new;
 	     old = ISC_LIST_NEXT(old, link)) {
@@ -1541,26 +1608,37 @@
 			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 				    "duplicate '%s'", str);
 			result = DNS_R_DUPLICATE;
-			goto cleanup;
+			return (result);
 		}
 	}
 
-	if (new->policy == DNS_RPZ_POLICY_CNAME) {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
-		result = dns_name_fromstring(&new->cname, str,
-					     DNS_NAME_DOWNCASE, view->mctx);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-				    "invalid cname '%s'", str);
-			goto cleanup;
+	result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
+				     DNS_RPZ_NSDNAME_ZONE, &new->origin);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = configure_rpz_name(view, rpz_obj, &new->passthru,
+				    DNS_RPZ_PASSTHRU_ZONE, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(obj)) {
+		new->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+		new->policy = dns_rpz_str2policy(str);
+		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+		if (new->policy == DNS_RPZ_POLICY_CNAME) {
+			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
+			result = configure_rpz_name(view, rpz_obj, &new->cname,
+						    str, "cname");
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
 	}
 
 	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_rpz_view_destroy(view);
-	return (result);
 }
 
 /*
@@ -1594,10 +1672,10 @@
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
-	isc_uint32_t max_adb_size;
 	unsigned int cleaning_interval;
-	isc_uint32_t max_cache_size;
-	isc_uint32_t max_acache_size;
+	size_t max_cache_size;
+	size_t max_acache_size;
+	size_t max_adb_size;
 	isc_uint32_t lame_ttl;
 	dns_tsig_keyring_t *ring = NULL;
 	dns_view_t *pview = NULL;	/* Production view */
@@ -1627,8 +1705,9 @@
 	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
 	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
-	unsigned int query_timeout;
+	unsigned int query_timeout, ndisp;
 	struct cfg_context *nzctx;
+	dns_rpz_zone_t *rpz;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1702,18 +1781,18 @@
 			max_acache_size = ISC_UINT32_MAX;
 		} else {
 			isc_resourcevalue_t value;
-
 			value = cfg_obj_asuint64(obj);
-			if (value > ISC_UINT32_MAX) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+			if (value > SIZE_MAX) {
+				cfg_obj_log(obj, ns_g_lctx,
+					    ISC_LOG_WARNING,
 					    "'max-acache-size "
-					    "%" ISC_PRINT_QUADFORMAT
-					    "d' is too large",
-					    value);
-				result = ISC_R_RANGE;
-				goto cleanup;
+					    "%" ISC_PRINT_QUADFORMAT "u' "
+					    "is too large for this "
+					    "system; reducing to %lu",
+					    value, (unsigned long)SIZE_MAX);
+				value = SIZE_MAX;
 			}
-			max_acache_size = (isc_uint32_t)value;
+			max_acache_size = (size_t) value;
 		}
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
@@ -1727,6 +1806,53 @@
 	}
 
 	/*
+	 * Make the list of response policy zone names for a view that
+	 * is used for real lookups and so cares about hints.
+	 */
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+		const cfg_obj_t *rpz_obj;
+		isc_boolean_t recursive_only_def;
+		dns_ttl_t ttl_def;
+
+		rpz_obj = cfg_tuple_get(obj, "recursive-only");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    !cfg_obj_asboolean(rpz_obj))
+			recursive_only_def = ISC_FALSE;
+		else
+			recursive_only_def = ISC_TRUE;
+
+		rpz_obj = cfg_tuple_get(obj, "break-dnssec");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    cfg_obj_asboolean(rpz_obj))
+			view->rpz_break_dnssec = ISC_TRUE;
+		else
+			view->rpz_break_dnssec = ISC_FALSE;
+
+		rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
+		if (cfg_obj_isuint32(rpz_obj))
+			ttl_def = cfg_obj_asuint32(rpz_obj);
+		else
+			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+		rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
+		if (cfg_obj_isuint32(rpz_obj))
+			view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
+		else
+			view->rpz_min_ns_labels = 2;
+
+		element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
+		while (element != NULL) {
+			result = configure_rpz(view, element,
+					       recursive_only_def, ttl_def);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			element = cfg_list_next(element);
+		}
+	}
+
+	/*
 	 * Configure the zones.
 	 */
 	zonelist = NULL;
@@ -1747,6 +1873,22 @@
 				     actx, ISC_FALSE));
 	}
 
+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (!rpz->defined) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
+			cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "'%s' is not a master or slave zone",
+				    namebuf);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If we're allowing added zones, then load zone configuration
 	 * from the newzone file for zones that were added during previous
@@ -1837,15 +1979,17 @@
 	} else {
 		isc_resourcevalue_t value;
 		value = cfg_obj_asuint64(obj);
-		if (value > ISC_UINT32_MAX) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+		if (value > SIZE_MAX) {
+			cfg_obj_log(obj, ns_g_lctx,
+				    ISC_LOG_WARNING,
 				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
-				    value);
-			result = ISC_R_RANGE;
-			goto cleanup;
+				    "%" ISC_PRINT_QUADFORMAT "u' "
+				    "is too large for this "
+				    "system; reducing to %lu",
+				    value, (unsigned long)SIZE_MAX);
+			value = SIZE_MAX;
 		}
-		max_cache_size = (isc_uint32_t)value;
+		max_cache_size = (size_t) value;
 	}
 
 	/* Check-names. */
@@ -2154,7 +2298,9 @@
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
+
+	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
+	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
 				      ns_g_socketmgr, ns_g_timermgr,
 				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
@@ -2173,9 +2319,9 @@
 	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
 	 */
 	max_adb_size = 0;
-	if (max_cache_size != 0) {
+	if (max_cache_size != 0U) {
 		max_adb_size = max_cache_size / 8;
-		if (max_adb_size == 0)
+		if (max_adb_size == 0U)
 			max_adb_size = 1;	/* Force minimum. */
 		if (view != nsc->primaryview &&
 		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
@@ -2658,7 +2804,7 @@
 			obj = cfg_listelt_value(element);
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
-			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_constinit(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			dlv = dns_fixedname_name(&view->dlv_fixed);
 			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
@@ -2711,7 +2857,7 @@
 			     element = cfg_list_next(element)) {
 				exclude = cfg_listelt_value(element);
 				str = cfg_obj_asstring(exclude);
-				isc_buffer_init(&b, str, strlen(str));
+				isc_buffer_constinit(&b, str, strlen(str));
 				isc_buffer_add(&b, strlen(str));
 				CHECK(dns_name_fromtext(name, &b, dns_rootname,
 							0, NULL));
@@ -2752,7 +2898,7 @@
 		const char *empty_dbtype[4] =
 				    { "_builtin", "empty", NULL, NULL };
 		int empty_dbtypec = 4;
-		isc_boolean_t zonestats_on;
+		dns_zonestat_level_t statlevel;
 
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
@@ -2761,7 +2907,7 @@
 		result = ns_config_get(maps, "empty-server", &obj);
 		if (result == ISC_R_SUCCESS) {
 			str = cfg_obj_asstring(obj);
-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
 						NULL));
@@ -2776,7 +2922,7 @@
 		result = ns_config_get(maps, "empty-contact", &obj);
 		if (result == ISC_R_SUCCESS) {
 			str = cfg_obj_asstring(obj);
-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
 						NULL));
@@ -2790,7 +2936,22 @@
 		obj = NULL;
 		result = ns_config_get(maps, "zone-statistics", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		zonestats_on = cfg_obj_asboolean(obj);
+		if (cfg_obj_isboolean(obj)) {
+			if (cfg_obj_asboolean(obj))
+				statlevel = dns_zonestat_full;
+			else
+				statlevel = dns_zonestat_terse; /* XXX */
+		} else {
+			const char *levelstr = cfg_obj_asstring(obj);
+			if (strcasecmp(levelstr, "full") == 0)
+				statlevel = dns_zonestat_full;
+			else if (strcasecmp(levelstr, "terse") == 0)
+				statlevel = dns_zonestat_terse;
+			else if (strcasecmp(levelstr, "none") == 0)
+				statlevel = dns_zonestat_none;
+			else
+				INSIST(0);
+		}
 
 		for (empty = empty_zones[empty_zone];
 		     empty != NULL;
@@ -2799,7 +2960,7 @@
 			dns_forwarders_t *forwarders = NULL;
 			dns_view_t *pview = NULL;
 
-			isc_buffer_init(&buffer, empty, strlen(empty));
+			isc_buffer_constinit(&buffer, empty, strlen(empty));
 			isc_buffer_add(&buffer, strlen(empty));
 			/*
 			 * Look for zone on drop list.
@@ -2815,7 +2976,6 @@
 			 */
 			(void)dns_view_findzone(view, name, &zone);
 			if (zone != NULL) {
-				CHECK(setquerystats(zone, mctx, zonestats_on));
 				dns_zone_detach(&zone);
 				continue;
 			}
@@ -2850,13 +3010,14 @@
 					dns_zone_setview(zone, view);
 					CHECK(dns_view_addzone(view, zone));
 					CHECK(setquerystats(zone, mctx,
-							    zonestats_on));
+							    statlevel));
 					dns_zone_detach(&zone);
 					continue;
 				}
 			}
 
-			CHECK(dns_zone_create(&zone, mctx));
+			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
+						     &zone));
 			CHECK(dns_zone_setorigin(zone, name));
 			dns_zone_setview(zone, view);
 			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
@@ -2874,7 +3035,7 @@
 			dns_zone_setnotifytype(zone, dns_notifytype_no);
 			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
 					   ISC_TRUE);
-			CHECK(setquerystats(zone, mctx, zonestats_on));
+			CHECK(setquerystats(zone, mctx, statlevel));
 			CHECK(dns_view_addzone(view, zone));
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@@ -2884,49 +3045,6 @@
 		}
 	}
 
-	/*
-	 * Make the list of response policy zone names for views that
-	 * are used for real lookups and so care about hints.
-	 */
-		obj = NULL;
-	if (view->rdclass == dns_rdataclass_in && need_hints &&
-	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
-		const cfg_obj_t *recursive_only_obj;
-		const cfg_obj_t *break_dnssec_obj, *ttl_obj;
-		isc_boolean_t recursive_only_def;
-		dns_ttl_t ttl_def;
-
-		recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
-		if (!cfg_obj_isvoid(recursive_only_obj) &&
-		    !cfg_obj_asboolean(recursive_only_obj))
-			recursive_only_def = ISC_FALSE;
-		else
-			recursive_only_def = ISC_TRUE;
-
-		break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
-		if (!cfg_obj_isvoid(break_dnssec_obj) &&
-		    cfg_obj_asboolean(break_dnssec_obj))
-			view->rpz_break_dnssec = ISC_TRUE;
-		else
-			view->rpz_break_dnssec = ISC_FALSE;
-
-		ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
-		if (cfg_obj_isuint32(ttl_obj))
-			ttl_def = cfg_obj_asuint32(ttl_obj);
-		else
-			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
-
-		for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			result = configure_rpz(view, element,
-					       recursive_only_def, ttl_def);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rpz_set_need(ISC_TRUE);
-		}
-	}
-
 	result = ISC_R_SUCCESS;
 
  cleanup:
@@ -3026,7 +3144,7 @@
 			isc_buffer_t buffer;
 			in_port_t myport = port;
 
-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@@ -3280,6 +3398,8 @@
 	const char *zname;
 	dns_rdataclass_t zclass;
 	const char *ztypestr;
+	isc_boolean_t is_rpz;
+	dns_rpz_zone_t *rpz;
 
 	options = NULL;
 	(void)cfg_map_get(config, "options", &options);
@@ -3290,7 +3410,7 @@
 	 * Get the zone origin as a dns_name_t.
 	 */
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	isc_buffer_init(&buffer, zname, strlen(zname));
+	isc_buffer_constinit(&buffer, zname, strlen(zname));
 	isc_buffer_add(&buffer, strlen(zname));
 	dns_fixedname_init(&fixorigin);
 	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
@@ -3410,7 +3530,8 @@
 			dns_zone_attach(pview->redirect, &zone);
 			dns_zone_setview(zone, view);
 		} else {
-			CHECK(dns_zone_create(&zone, mctx));
+			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
+						     &zone));
 			CHECK(dns_zone_setorigin(zone, origin));
 			dns_zone_setview(zone, view);
 			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
@@ -3440,6 +3561,21 @@
 	INSIST(dupzone == NULL);
 
 	/*
+	 * Note whether this is a response policy zone.
+	 */
+	is_rpz = ISC_FALSE;
+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (dns_name_equal(&rpz->origin, origin)) {
+			is_rpz = ISC_TRUE;
+			rpz->defined = ISC_TRUE;
+			break;
+		}
+	}
+
+	/*
 	 * See if we can reuse an existing zone.  This is
 	 * only possible if all of these are true:
 	 *   - The zone's view exists
@@ -3447,6 +3583,7 @@
 	 *   - The zone is compatible with the config
 	 *     options (e.g., an existing master zone cannot
 	 *     be reused if the options specify a slave zone)
+	 *   - The zone was and is or was not and is not a policy zone
 	 */
 	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
 				   view->rdclass, &pview);
@@ -3460,6 +3597,9 @@
 	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
 		dns_zone_detach(&zone);
 
+	if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
+		dns_zone_detach(&zone);
+
 	if (zone != NULL) {
 		/*
 		 * We found a reusable zone.  Make it use the
@@ -3473,7 +3613,7 @@
 		 * We cannot reuse an existing zone, we have
 		 * to create a new one.
 		 */
-		CHECK(dns_zone_create(&zone, mctx));
+		CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
 		CHECK(dns_zone_setorigin(zone, origin));
 		dns_zone_setview(zone, view);
 		if (view->acache != NULL)
@@ -3482,6 +3622,19 @@
 		dns_zone_setstats(zone, ns_g_server->zonestats);
 	}
 
+	if (is_rpz) {
+		result = dns_zone_rpz_enable(zone);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': incompatible"
+				      " masterfile-format or database"
+				      " for a response policy zone",
+				      zname);
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If the zone contains a 'forwarders' statement, configure
 	 * selective forwarding.
@@ -3591,7 +3744,7 @@
 	}
 
 	/* No existing keydata zone was found; create one */
-	CHECK(dns_zone_create(&zone, mctx));
+	CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
 	CHECK(dns_zone_setorigin(zone, dns_rootname));
 
 	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
@@ -3625,7 +3778,7 @@
 	dns_zone_setjournalsize(zone, 0);
 
 	dns_zone_setstats(zone, ns_g_server->zonestats);
-	CHECK(setquerystats(zone, mctx, ISC_FALSE));
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none));
 
 	if (view->managed_keys != NULL)
 		dns_zone_detach(&view->managed_keys);
@@ -4180,7 +4333,7 @@
 	INSIST(result == ISC_R_SUCCESS);
 	keynamestr = cfg_obj_asstring(obj);
 	dns_fixedname_init(&fname);
-	isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
+	isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&buffer, strlen(keynamestr));
 	keyname = dns_fixedname_name(&fname);
 	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
@@ -5327,12 +5480,16 @@
 	{
 		if (view->managed_keys != NULL) {
 			result = dns_zone_load(view->managed_keys);
-			if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE)
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
 				goto cleanup;
 		}
 		if (view->redirect != NULL) {
 			result = dns_zone_load(view->redirect);
-			if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE)
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
 				goto cleanup;
 		}
 
@@ -5977,6 +6134,7 @@
 	dns_rdataclass_t rdclass;
 
 	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(zonename == NULL || *zonename == NULL);
 
 	input = args;
 
@@ -5992,7 +6150,7 @@
 		zonetxt = next_token(&input, " \t");
 	if (zonetxt == NULL)
 		return (ISC_R_SUCCESS);
-	if (zonename)
+	if (zonename != NULL)
 		*zonename = zonetxt;
 
 	/* Look for the optional class name. */
@@ -6002,7 +6160,7 @@
 		viewtxt = next_token(&input, " \t");
 	}
 
-	isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
+	isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt));
 	isc_buffer_add(&buf, strlen(zonetxt));
 	dns_fixedname_init(&name);
 	result = dns_name_fromtext(dns_fixedname_name(&name),
@@ -6939,7 +7097,7 @@
 	if (target == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 
-	isc_buffer_init(&b, target, strlen(target));
+	isc_buffer_constinit(&b, target, strlen(target));
 	isc_buffer_add(&b, strlen(target));
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
@@ -7612,7 +7770,7 @@
 	CHECK(cfg_map_get(config, "addzone", &parms));
 
 	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
-	isc_buffer_init(&buf, zonename, strlen(zonename));
+	isc_buffer_constinit(&buf, zonename, strlen(zonename));
 	isc_buffer_add(&buf, strlen(zonename));
 	dns_name_init(&dnsname, NULL);
 	isc_buffer_allocate(server->mctx, &nbuf, 256);
@@ -7676,7 +7834,8 @@
 	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
 
 	/* Mark view unfrozen so that zone can be added */
-	isc_task_beginexclusive(server->task);
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_view_thaw(view);
 	result = configure_zone(cfg->config, parms, vconfig,
 				server->mctx, view, cfg->actx, ISC_FALSE);
@@ -7785,8 +7944,7 @@
 
 	/* Parse parameters */
 	CHECK(zone_from_args(server, args, NULL, &zone, &zonename, ISC_TRUE));
-	if (result != ISC_R_SUCCESS)
-		return (result);
+
 	if (zone == NULL) {
 		result = ISC_R_UNEXPECTEDEND;
 		goto cleanup;
@@ -7801,8 +7959,8 @@
 		goto cleanup;
 	}
 
-	if (zonename != NULL)
-		znamelen = strlen(zonename);
+	INSIST(zonename != NULL);
+	znamelen = strlen(zonename);
 
 	/* Dig out configuration for this zone */
 	view = dns_zone_getview(zone);
@@ -7967,7 +8125,7 @@
 	isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
 	isc_boolean_t chain = ISC_FALSE;
 	char keystr[DNS_SECALG_FORMATSIZE + 7];
-	isc_uint8_t hash = 0, flags = 0, iter = 0, saltlen = 0;
+	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
 	unsigned char salt[255];
 	const char *ptr;
 	size_t n;
@@ -8014,11 +8172,13 @@
 				     hashstr, flagstr, iterstr);
 			if (n == sizeof(nbuf))
 				return (ISC_R_NOSPACE);
-			n = sscanf(nbuf, "%hhd %hhd %hhd",
-				   &hash, &flags, &iter);
-			if (n != 3)
+			n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
+			if (n != 3U)
 				return (ISC_R_BADNUMBER);
 
+			if (hash > 0xffU || flags > 0xffU)
+				return (ISC_R_RANGE);
+
 			ptr = next_token(&args, " \t");
 			if (ptr == NULL)
 				return (ISC_R_UNEXPECTEDEND);
@@ -8042,8 +8202,10 @@
 		isc_buffer_putstr(text, "request queued");
 		isc_buffer_putuint8(text, 0);
 	} else if (chain) {
-		CHECK(dns_zone_setnsec3param(zone, hash, flags, iter,
-						saltlen, salt, ISC_TRUE));
+		CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash,
+					     (isc_uint8_t)flags, iter,
+					     (isc_uint8_t)saltlen, salt,
+					     ISC_TRUE));
 		isc_buffer_putstr(text, "request queued");
 		isc_buffer_putuint8(text, 0);
 	} else if (list) {
--- a/external/bsd/bind/dist/bin/named/statschannel.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/statschannel.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: statschannel.c,v 1.5 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: statschannel.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -45,7 +45,11 @@
 #include <named/server.h>
 #include <named/statschannel.h>
 
-#include "bind9.xsl.h"
+#ifdef NEWSTATS
+	#include "bind9.ver3.xsl.h"
+#else /* OLDSTATS */
+	#include "bind9.xsl.h"
+#endif /* NEWSTATS */
 
 struct ns_statschannel {
 	/* Unlocked */
@@ -189,7 +193,7 @@
 	SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL");
 	SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR");
 	SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN");
-	SET_NSSTATDESC(recursion, "queries caused recursion","QryRecursion");
+	SET_NSSTATDESC(recursion, "queries caused recursion", "QryRecursion");
 	SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate");
 	SET_NSSTATDESC(dropped, "queries dropped", "QryDropped");
 	SET_NSSTATDESC(failure, "other query failures", "QryFailure");
@@ -204,6 +208,8 @@
 	SET_NSSTATDESC(updatebadprereq,
 		       "updates rejected due to prerequisite failure",
 		       "UpdateBadPrereq");
+	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+		       "RPZRewrites");
 	INSIST(i == dns_nsstatscounter_max);
 
 	/* Initialize resolver statistics */
@@ -304,7 +310,8 @@
 	SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6");
 	SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4");
 	SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6");
-	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded","XfrSuccess");
+	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded",
+			 "XfrSuccess");
 	SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail");
 	INSIST(i == dns_zonestatscounter_max);
 
@@ -427,7 +434,7 @@
 	do { \
 		set_desc(dns_dnssecstats_ ## counterid, \
 			 dns_dnssecstats_max, \
-			 desc, dnssecstats_desc,\
+			 desc, dnssecstats_desc, \
 			 xmldesc, dnssecstats_xmldesc); \
 		dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \
 	} while (/*CONSTCOND*/0)
@@ -519,6 +526,51 @@
 			break;
 		case statsformat_xml:
 #ifdef HAVE_LIBXML2
+#ifdef NEWSTATS
+		writer = arg;
+
+		if (category != NULL) {
+			/* <NameOfCategory> */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       category));
+			/* <name> inside category */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "name"));
+			TRY0(xmlTextWriterWriteString(writer,
+						      ISC_XMLCHAR
+						      desc[index]));
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </name> */
+
+			/* <counter> */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "counter"));
+			TRY0(xmlTextWriterWriteFormatString(writer,
+				"%" ISC_PRINT_QUADFORMAT "u", value));
+
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </counter> */
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </NameOfCategory> */
+
+		} else {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "counter"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+							 ISC_XMLCHAR
+							 "name",
+							 ISC_XMLCHAR
+							 desc[index]));
+			TRY0(xmlTextWriterWriteFormatString(writer,
+				"%" ISC_PRINT_QUADFORMAT "u", value));
+			TRY0(xmlTextWriterEndElement(writer));
+			/* counter */
+		}
+#else /* !NEWSTATS */
 			writer = arg;
 
 			if (category != NULL) {
@@ -548,17 +600,73 @@
 			TRY0(xmlTextWriterEndElement(writer)); /* counter */
 			if (category != NULL)
 				TRY0(xmlTextWriterEndElement(writer)); /* category */
-#endif
+#endif /* NEWSTATS */
+#endif /* LIBXML2 */
 			break;
 		}
 	}
 	return (ISC_R_SUCCESS);
 #ifdef HAVE_LIBXML2
  error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at dump_counters()");
 	return (ISC_R_FAILURE);
 #endif
 }
 
+#ifdef NEWSTATS
+static void
+rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
+	char typebuf[64];
+	const char *typestr;
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+	int xmlrc;
+#endif
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
+	    == 0) {
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	} else
+		typestr = "Others";
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+
+		writer = dumparg->arg;
+
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR typestr));
+
+		TRY0(xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       val));
+
+		TRY0(xmlTextWriterEndElement(writer)); /* type */
+#endif
+		break;
+	}
+	return;
+#ifdef HAVE_LIBXML2
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at rdtypestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
+}
+#else  /* NEWSTATS */
 static void
 rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	char typebuf[64];
@@ -610,6 +718,7 @@
 	return;
 #endif
 }
+#endif  /* NEWSTATS */
 
 static void
 rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
@@ -668,11 +777,58 @@
 	return;
 #ifdef HAVE_LIBXML2
  error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at rdatasetstats_dump()");
 	dumparg->result = ISC_R_FAILURE;
 #endif
 
 }
 
+#ifdef NEWSTATS
+static void
+opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
+	FILE *fp;
+	isc_buffer_t b;
+	char codebuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+	int xmlrc;
+#endif
+
+	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
+	dns_opcode_totext(code, &b);
+	codebuf[isc_buffer_usedlength(&b)] = '\0';
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR codebuf ));
+		TRY0(xmlTextWriterWriteFormatString(writer,
+						       "%" ISC_PRINT_QUADFORMAT "u",
+						       val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+#endif
+		break;
+	}
+	return;
+
+#ifdef HAVE_LIBXML2
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at opcodestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
+}
+#else  /* NEWSTATS */
 static void
 opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
 	FILE *fp;
@@ -721,12 +877,96 @@
 	return;
 #endif
 }
+#endif  /* NEWSTATS */
 
 #ifdef HAVE_LIBXML2
 
-/* XXXMLG below here sucks. */
+/* XXXMLG below here sucks. (not so much) */
+
+#ifdef NEWSTATS
+static isc_result_t
+zone_xmlrender(dns_zone_t *zone, void *arg) {
+	isc_result_t result;
+	char buf[1024 + 32];	/* sufficiently large for zone name and class */
+	char *zone_name_only = NULL;
+	dns_rdataclass_t rdclass;
+	isc_uint32_t serial;
+	xmlTextWriterPtr writer = arg;
+	isc_stats_t *zonestats;
+	dns_stats_t *rcvquerystats;
+	dns_zonestat_level_t statlevel;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	int xmlrc;
+	stats_dumparg_t dumparg;
+
+	statlevel = dns_zone_getstatlevel(zone);
+	if (statlevel == dns_zonestat_none)
+		return (ISC_R_SUCCESS);
+
+	dumparg.type = statsformat_xml;
+	dumparg.arg = writer;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
+	dns_zone_name(zone, buf, sizeof(buf));
+	zone_name_only = strtok(buf, "/");
+	if(zone_name_only == NULL)
+		zone_name_only = buf;
+
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+					 ISC_XMLCHAR zone_name_only));
+	rdclass = dns_zone_getclass(zone);
+	dns_rdataclass_format(rdclass, buf, sizeof(buf));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
+					 ISC_XMLCHAR buf));
 
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
+	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
+		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
+	else
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
+	TRY0(xmlTextWriterEndElement(writer)); /* serial */
 
+	zonestats = dns_zone_getrequeststats(zone);
+	rcvquerystats = dns_zone_getrcvquerystats(zone);
+	if (statlevel == dns_zonestat_full && zonestats != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "rcode"));
+
+		result = dump_counters(zonestats, statsformat_xml, writer,
+				       NULL, nsstats_xmldesc,
+				       dns_nsstatscounter_max, nsstats_index,
+				       nsstat_values, ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		/* counters type="rcode"*/
+		TRY0(xmlTextWriterEndElement(writer));
+	}
+
+	if (statlevel == dns_zonestat_full && rcvquerystats != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "qtype"));
+
+		dumparg.result = ISC_R_SUCCESS;
+		dns_rdatatypestats_dump(rcvquerystats, rdtypestat_dump,
+					&dumparg, 0);
+		if(dumparg.result != ISC_R_SUCCESS)
+			goto error;
+
+		/* counters type="qtype"*/
+		TRY0(xmlTextWriterEndElement(writer));
+	}
+
+	TRY0(xmlTextWriterEndElement(writer)); /* zone */
+
+	return (ISC_R_SUCCESS);
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "Failed at zone_xmlrender()");
+	return (ISC_R_FAILURE);
+}
+#else  /* NEWSTATS */
 static isc_result_t
 zone_xmlrender(dns_zone_t *zone, void *arg) {
 	char buf[1024 + 32];	/* sufficiently large for zone name and class */
@@ -776,7 +1016,237 @@
  error:
 	return (ISC_R_FAILURE);
 }
+#endif  /* NEWSTATS */
 
+#ifdef NEWSTATS
+static isc_result_t
+generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	isc_time_t now;
+	xmlTextWriterPtr writer = NULL;
+	xmlDocPtr doc = NULL;
+	int xmlrc;
+	dns_view_t *view;
+	stats_dumparg_t dumparg;
+	dns_stats_t *cacherrstats;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	isc_uint64_t resstat_values[dns_resstatscounter_max];
+	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
+	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
+	isc_result_t result;
+
+	isc_time_now(&now);
+	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
+	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
+
+	writer = xmlNewTextWriterDoc(&doc, 0);
+	if (writer == NULL)
+		goto error;
+	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
+	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
+			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.ver3.xsl\""));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "3.0"));
+
+	/* Set common fields for statistics dump */
+	dumparg.type = statsformat_xml;
+	dumparg.arg = writer;
+
+	/*
+	 * Start by rendering the views we know of here.  For each view we
+	 * know of, call its rendering function.
+	 */
+	view = ISC_LIST_HEAD(server->viewlist);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
+	while (view != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR view->name));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
+		result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
+				      writer);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		TRY0(xmlTextWriterEndElement(writer)); /* zones */
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resqtype"));
+
+		if (view->resquerystats != NULL) {
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatatypestats_dump(view->resquerystats,
+						rdtypestat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer));
+
+		/* <resstats> */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resstats"));
+		if (view->resstats != NULL) {
+			result = dump_counters(view->resstats,
+					       statsformat_xml, writer,
+					       NULL, resstats_xmldesc,
+					       dns_resstatscounter_max,
+					       resstats_index, resstat_values,
+					       ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS)
+				goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* </resstats> */
+
+		cacherrstats = dns_db_getrrsetstats(view->cachedb);
+		if (cacherrstats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "cache"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+					 ISC_XMLCHAR "name",
+					 ISC_XMLCHAR
+					 dns_cache_getname(view->cache)));
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatasetstats_dump(cacherrstats, rdatasetstats_dump,
+					       &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
+			TRY0(xmlTextWriterEndElement(writer)); /* cache */
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* view */
+
+		view = ISC_LIST_NEXT(view, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* views */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
+	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
+	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
+	TRY0(xmlTextWriterEndElement(writer)); /* boot-time */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
+	TRY0(xmlTextWriterEndElement(writer));  /* current-time */
+
+	dumparg.result = ISC_R_SUCCESS;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "opcode"));
+
+	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
+			     0);
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=opcode */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "qtype"));
+
+	dumparg.result = ISC_R_SUCCESS;
+	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
+				&dumparg, 0);
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+	TRY0(xmlTextWriterEndElement(writer)); /* counters */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "nsstat"));
+
+	result = dump_counters(server->nsstats, statsformat_xml,
+			       writer, NULL, nsstats_xmldesc,
+			       dns_nsstatscounter_max,
+			       nsstats_index, nsstat_values,
+			       ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=nsstat */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "zonestat"));
+
+	result = dump_counters(server->zonestats, statsformat_xml, writer,
+			       NULL, zonestats_xmldesc,
+			       dns_zonestatscounter_max, zonestats_index,
+			       zonestat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=zonestat */
+
+	/*
+	 * Most of the common resolver statistics entries are 0, so we don't
+	 * use the verbose dump here.
+	 */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "resstat"));
+	result = dump_counters(server->resolverstats, statsformat_xml,
+			       writer, NULL, resstats_xmldesc,
+			       dns_resstatscounter_max, resstats_index,
+			       resstat_values, 0);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=resstat */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "sockstat"));
+
+	result = dump_counters(server->sockstats, statsformat_xml,
+			       writer, NULL, sockstats_xmldesc,
+			       isc_sockstatscounter_max, sockstats_index,
+			       sockstat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=sockstat */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* server */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
+	isc_mem_renderxml(writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* memory */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
+
+	TRY0(xmlTextWriterEndDocument(writer));
+
+	xmlFreeTextWriter(writer);
+
+	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 0);
+	xmlFreeDoc(doc);
+	return (ISC_R_SUCCESS);
+
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed generating XML response");
+	if (writer != NULL)
+		xmlFreeTextWriter(writer);
+	if (doc != NULL)
+		xmlFreeDoc(doc);
+	return (ISC_R_FAILURE);
+}
+#else /* OLDSTATS */
 static isc_result_t
 generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
@@ -879,11 +1349,11 @@
 	TRY0(xmlTextWriterEndElement(writer)); /* views */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
-	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(isc_socketmgr_renderxml(ns_g_socketmgr, writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
-	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(isc_taskmgr_renderxml(ns_g_taskmgr, writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
@@ -946,7 +1416,7 @@
 	TRY0(xmlTextWriterEndElement(writer)); /* server */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
-	isc_mem_renderxml(writer);
+	TRY0(isc_mem_renderxml(writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* memory */
 
 	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
@@ -968,6 +1438,7 @@
 		xmlFreeDoc(doc);
 	return (ISC_R_FAILURE);
 }
+#endif /* NEWSTATS */
 
 static void
 wrap_xmlfree(isc_buffer_t *buffer, void *arg) {
@@ -1000,7 +1471,10 @@
 		isc_buffer_add(b, msglen);
 		*freecb = wrap_xmlfree;
 		*freecb_args = NULL;
-	}
+	} else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "failed at rendering XML()");
 
 	return (result);
 }
@@ -1032,7 +1506,7 @@
 shutdown_listener(ns_statschannel_t *listener) {
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,NS_LOGMODULE_SERVER,
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_NOTICE, "stopping statistics channel on %s",
 		      socktext);
 
@@ -1150,10 +1624,22 @@
 
 #ifdef HAVE_LIBXML2
 	isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml", render_index, server);
+#ifdef NEWSTATS
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", render_index,
+			    server);
+#else /* OLDSTATS */
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v2", render_index,
+			    server);
+#endif /* NEWSTATS */
 #endif
+#ifdef NEWSTATS
+	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.ver3.xsl", render_xsl,
+			    server);
+#else /* OLDSTATS */
 	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", render_xsl,
 			    server);
-
+#endif /* NEWSTATS */
 	*listenerp = listener;
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_NOTICE,
@@ -1285,7 +1771,8 @@
 				obj = cfg_tuple_get(listen_params, "address");
 				addr = *cfg_obj_assockaddr(obj);
 				if (isc_sockaddr_getport(&addr) == 0)
-					isc_sockaddr_setport(&addr, NS_STATSCHANNEL_HTTPPORT);
+					isc_sockaddr_setport(&addr,
+						     NS_STATSCHANNEL_HTTPPORT);
 
 				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
--- a/external/bsd/bind/dist/bin/named/tkeyconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/tkeyconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: tkeyconf.c,v 1.3 2012/06/05 00:39:05 christos Exp $	*/
+/*	$NetBSD: tkeyconf.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -75,7 +75,7 @@
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
 		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
@@ -89,7 +89,7 @@
 	result = cfg_map_get(options, "tkey-domain", &obj);
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
@@ -108,7 +108,7 @@
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);
 
-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
--- a/external/bsd/bind/dist/bin/named/tsigconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/tsigconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: tsigconf.c,v 1.3 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: tsigconf.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -80,7 +80,7 @@
 		 * Create the key name.
 		 */
 		dns_name_init(&keyname, NULL);
-		isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
+		isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid));
 		isc_buffer_add(&keynamesrc, strlen(keyid));
 		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
 		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
--- a/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dlz_dlopen_driver.c,v 1.2 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: dlz_dlopen_driver.c,v 1.3 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -230,7 +230,9 @@
 		return (ISC_R_FAILURE);
 	}
 
-	isc_mem_create(0, 0, &mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	cd = isc_mem_get(mctx, sizeof(*cd));
 	if (cd == NULL) {
@@ -252,7 +254,9 @@
 	}
 
 	/* Initialize the lock */
-	isc_mutex_init(&cd->lock);
+	result = isc_mutex_init(&cd->lock);
+	if (result != ISC_R_SUCCESS)
+		goto failed;
 
 	/* Open the library */
 	dlopen_flags = RTLD_NOW|RTLD_GLOBAL;
@@ -356,11 +360,11 @@
 
 failed:
 	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
-	if (cd->dl_path)
+	if (cd->dl_path != NULL)
 		isc_mem_free(mctx, cd->dl_path);
-	if (cd->dlzname)
+	if (cd->dlzname != NULL)
 		isc_mem_free(mctx, cd->dlzname);
-	if (dlopen_flags)
+	if (dlopen_flags != 0)
 		(void) isc_mutex_destroy(&cd->lock);
 #ifdef HAVE_DLCLOSE
 	if (cd->dl_handle)
--- a/external/bsd/bind/dist/bin/named/update.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/update.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: update.c,v 1.5 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: update.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -2371,7 +2371,8 @@
 		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
 		ISC_LIST_APPEND(diff->tuples, tuple, link);
 
-		dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if ((dnskey.flags &
 		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
 			 != DNS_KEYOWNER_ZONE)
--- a/external/bsd/bind/dist/bin/named/xfrout.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/xfrout.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: xfrout.c,v 1.4 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: xfrout.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -249,7 +249,8 @@
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &ixfr_rrstream_methods;
 	s->journal = NULL;
 
@@ -291,7 +292,7 @@
 	ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp;
 	if (s->journal != 0)
 		dns_journal_destroy(&s->journal);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }
 
 static rrstream_methods_t ixfr_rrstream_methods = {
@@ -337,7 +338,8 @@
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &axfr_rrstream_methods;
 	s->it_valid = ISC_FALSE;
 
@@ -415,7 +417,7 @@
 	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
 	if (s->it_valid)
 		dns_rriterator_destroy(&s->it);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }
 
 static rrstream_methods_t axfr_rrstream_methods = {
@@ -457,7 +459,8 @@
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &soa_rrstream_methods;
 	s->soa_tuple = NULL;
 
@@ -499,7 +502,7 @@
 	soa_rrstream_t *s = (soa_rrstream_t *) *rsp;
 	if (s->soa_tuple != NULL)
 		dns_difftuple_free(&s->soa_tuple);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }
 
 static rrstream_methods_t soa_rrstream_methods = {
@@ -563,7 +566,8 @@
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &compound_rrstream_methods;
 	s->components[0] = *soa_stream;
 	s->components[1] = *data_stream;
@@ -636,7 +640,7 @@
 	s->components[0]->methods->destroy(&s->components[0]);
 	s->components[1]->methods->destroy(&s->components[1]);
 	s->components[2] = NULL; /* Copy of components[0]. */
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }
 
 static rrstream_methods_t compound_rrstream_methods = {
@@ -835,14 +839,6 @@
 				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
 				      question_name, question_class);
 			is_dlz = ISC_TRUE;
-			/*
-			 * DLZ only support full zone transfer, not incremental
-			 */
-			if (reqtype != dns_rdatatype_axfr) {
-				mnemonic = "AXFR-style IXFR";
-				reqtype = dns_rdatatype_axfr;
-			}
-
 		} else {
 			/*
 			 * not DLZ and not in normal zone table, we are
@@ -854,12 +850,14 @@
 	} else {
 		/* zone table has a match */
 		switch(dns_zone_gettype(zone)) {
+			/* Master and slave zones are OK for transfer. */
 			case dns_zone_master:
 			case dns_zone_slave:
 			case dns_zone_dlz:
-				break;	/* Master and slave zones are OK for transfer. */
+				break;
 			default:
-				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				      question_name, question_class);
 			}
 		CHECK(dns_zone_getdb(zone, &db));
 		dns_db_currentversion(db, &ver);
@@ -994,7 +992,7 @@
 			is_poll = ISC_TRUE;
 			goto have_stream;
 		}
-		journalfile = dns_zone_getjournal(zone);
+		journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
 		if (journalfile != NULL)
 			result = ixfr_rrstream_create(mctx,
 						      journalfile,
--- a/external/bsd/bind/dist/bin/named/zoneconf.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/named/zoneconf.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: zoneconf.c,v 1.4 2012/06/05 00:39:07 christos Exp $	*/
+/*	$NetBSD: zoneconf.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -58,6 +58,7 @@
 typedef enum {
 	allow_notify,
 	allow_query,
+	allow_query_on,
 	allow_transfer,
 	allow_update,
 	allow_update_forwarding
@@ -106,6 +107,11 @@
 			aclp = &view->queryacl;
 		aclname = "allow-query";
 		break;
+	    case allow_query_on:
+		if (view != NULL)
+			aclp = &view->queryonacl;
+		aclname = "allow-query-on";
+		break;
 	    case allow_transfer:
 		if (view != NULL)
 			aclp = &view->transferacl;
@@ -271,7 +277,7 @@
 
 		dns_fixedname_init(&fident);
 		str = cfg_obj_asstring(identity);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
 					   dns_rootname, 0, NULL);
@@ -294,7 +300,7 @@
 			}
 		} else {
 			str = cfg_obj_asstring(dname);
-			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_constinit(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			result = dns_name_fromtext(dns_fixedname_name(&fname),
 						   &b, dns_rootname, 0, NULL);
@@ -527,7 +533,7 @@
 		dns_fixedname_init(&fixed_name);
 		nsname = dns_fixedname_name(&fixed_name);
 
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS) {
@@ -820,7 +826,10 @@
 	isc_boolean_t ixfrdiff;
 	dns_masterformat_t masterformat;
 	isc_stats_t *zoneqrystats;
-	isc_boolean_t zonestats_on;
+#ifdef NEWSTATS
+	dns_stats_t *rcvquerystats;
+#endif
+	dns_zonestat_level_t statlevel;
 	int seconds;
 	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
 
@@ -928,7 +937,7 @@
 			INSIST(0);
 	}
 
-	if (raw != NULL) {
+	if (raw != NULL && filename != NULL) {
 #define SIGNED ".signed"
 		size_t signedlen = strlen(filename) + sizeof(SIGNED);
 		char *signedname;
@@ -969,6 +978,11 @@
 				  dns_zone_setqueryacl,
 				  dns_zone_clearqueryacl));
 
+	RETERR(configure_zone_acl(zconfig, vconfig, config,
+				  allow_query_on, ac, zone,
+				  dns_zone_setqueryonacl,
+				  dns_zone_clearqueryonacl));
+
 	obj = NULL;
 	result = ns_config_get(maps, "dialup", &obj);
 	INSIST(result == ISC_R_SUCCESS && obj != NULL);
@@ -997,16 +1011,49 @@
 	obj = NULL;
 	result = ns_config_get(maps, "zone-statistics", &obj);
 	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-	zonestats_on = cfg_obj_asboolean(obj);
-	zoneqrystats = NULL;
-	if (zonestats_on) {
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			statlevel = dns_zonestat_full;
+		else
+			statlevel = dns_zonestat_terse; /* XXX */
+	} else {
+		const char *levelstr = cfg_obj_asstring(obj);
+		if (strcasecmp(levelstr, "full") == 0)
+			statlevel = dns_zonestat_full;
+		else if (strcasecmp(levelstr, "terse") == 0)
+			statlevel = dns_zonestat_terse;
+		else if (strcasecmp(levelstr, "none") == 0)
+			statlevel = dns_zonestat_none;
+		else
+			INSIST(0);
+	}
+	dns_zone_setstatlevel(zone, statlevel);
+
+	zoneqrystats  = NULL;
+#ifdef NEWSTATS
+	rcvquerystats = NULL;
+#endif
+	if (statlevel == dns_zonestat_full) {
 		RETERR(isc_stats_create(mctx, &zoneqrystats,
 					dns_nsstatscounter_max));
+#ifdef NEWSTATS
+		RETERR(dns_rdatatypestats_create(mctx,
+					&rcvquerystats));
+#endif
 	}
-	dns_zone_setrequeststats(zone, zoneqrystats);
+	dns_zone_setrequeststats(zone,  zoneqrystats );
+#ifdef NEWSTATS
+	dns_zone_setrcvquerystats(zone, rcvquerystats);
+#endif
+
 	if (zoneqrystats != NULL)
 		isc_stats_detach(&zoneqrystats);
 
+#ifdef NEWSTATS
+	if(rcvquerystats != NULL)
+		dns_stats_detach(&rcvquerystats);
+#endif
+
 	/*
 	 * Configure master functionality.  This applies
 	 * to primary masters (type "master") and slaves
@@ -1185,6 +1232,17 @@
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
+		result = ns_config_get(maps, "check-spf", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
+
+		obj = NULL;
 		result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Sat Jul 27 19:22:10 2013 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Sat Jul 27 19:23:09 2013 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: nsupdate.c,v 1.6 2013/03/24 18:44:39 christos Exp $	*/
+/*	$NetBSD: nsupdate.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -936,7 +936,7 @@
 	INSIST(count == 1);
 }
 
-#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:r:R::t:u:"
 
 static void
 pre_parse_args(int argc, char **argv) {
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch	Sat Jul 27 19:22:10 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15768 +0,0 @@
-Index: openssl/Configure
-diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8
---- openssl/Configure:1.8.6.1	Sun Jan 15 15:45:33 2012
-+++ openssl/Configure	Mon Jun 13 14:25:15 2011
-@@ -12,7 +12,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -25,6 +25,12 @@
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
- #
-+# --pk11-libname  PKCS#11 library name.
-+#               (No default)
-+#
-+# --pk11-flavor either crypto-accelerator or sign-only
-+#               (No default)
-+#
- # --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
- #		to live in the subdirectory lib/ and the header files in
- #		include/.  A value is required.
-@@ -335,7 +341,7 @@
- "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -343,7 +349,7 @@
- "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
-@@ -590,6 +596,10 @@
- my $idx_ranlib = $idx++;
- my $idx_arflags = $idx++;
- 
-+# PKCS#11 engine patch
-+my $pk11_libname="";
-+my $pk11_flavor="";
-+
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-@@ -828,6 +838,14 @@
- 				{
- 				$flags.=$_." ";
- 				}
-+			elsif (/^--pk11-libname=(.*)$/)
-+				{
-+				$pk11_libname=$1;
-+				}
-+			elsif (/^--pk11-flavor=(.*)$/)
-+				{
-+				$pk11_flavor=$1;
-+				}
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -963,6 +981,22 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
-+if (! $pk11_flavor
-+    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
-+	{
-+	print STDERR "You must set --pk11-flavor.\n";
-+	print STDERR "Choices are crypto-accelerator and sign-only.\n";
-+	print STDERR "See README.pkcs11 for more information.\n";
-+	exit 1;
-+	}
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -1078,6 +1112,25 @@
- 	print "\n";
- 	}
- 
-+if ($pk11_flavor eq "crypto-accelerator")
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$options .= " no-hw-pkcs11so";
-+	print "    no-hw-pkcs11so  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11SO\n";
-+	}
-+else
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$options .= " no-hw-pkcs11ca";
-+	print "    no-hw-pkcs11ca  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11CA\n";
-+}
-+
- my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
- 
- $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
-@@ -1129,6 +1182,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1492,6 +1547,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.4.6.1 openssl/Makefile.org:1.4
---- openssl/Makefile.org:1.4.6.1	Sun Jan 15 15:45:33 2012
-+++ openssl/Makefile.org	Mon Jun 13 14:25:15 2011
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.6.4.1
---- /dev/null	Mon Jan 16 18:53:41 2012
-+++ openssl/README.pkcs11	Mon Jun 13 18:27:39 2011
-@@ -0,0 +1,261 @@
-+ISC modified
-+============
-+
-+The previous key naming scheme was kept for backward compatibility.
-+
-+The PKCS#11 engine exists in two flavors, crypto-accelerator and
-+sign-only. The first one is from the Solaris patch and uses the
-+PKCS#11 device for all crypto operations it supports. The second
-+is a stripped down version which provides only the useful
-+function (i.e., signature with a RSA private key in the device
-+protected key store and key loading).
-+
-+As a hint PKCS#11 boards should use the crypto-accelerator flavor,
-+external PKCS#11 devices the sign-only. SCA 6000 is an example
-+of the first, AEP Keyper of the second.
-+
-+Note it is mandatory to set a pk11-flavor (and only one) in
-+config/Configure.
-+
-+PKCS#11 engine support for OpenSSL 0.9.8l
-+=========================================
-+
-+[Nov 19, 2009]
-+
-+Contents:
-+
-+Overview
-+Revisions of the patch for 0.9.8 branch
-+FAQs
-+Feedback
-+
-+Overview
-+========
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
-+must provide PKCS#11 backend otherwise the patch is useless. You provide the
-+PKCS#11 library name during the build configuration phase, see below.
-+
-+Patch can be applied like this:
-+
-+	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8l.tar.gz
-+	# now download the patch to the current directory
-+	# ...
-+	cd openssl-0.9.8l
-+	# NOTE: must use gpatch if on Solaris (is part of the system)
-+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+According to the PKCS#11 providers installed on your machine, it can support
-+following mechanisms:
-+
-+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
-+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
-+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
-+	SHA256, SHA384, SHA512
-+
-+Note that for AES counter mode the application must provide their own EVP
-+functions since OpenSSL doesn't support counter mode through EVP yet. You may
-+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
-+example of code that uses the PKCS#11 engine and deals with the fork-safety
-+problem (see engine.c and packet.c files if interested).
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script. You will be instructed to do that when you try to run the
-+config script:
-+
-+	$ ./config 
-+	Operating system: i86pc-whatever-solaris2
-+	Configuring for solaris-x86-cc
-+	You must set --pk11-libname for PKCS#11 library.
-+	See README.pkcs11 for more information.
-+
-+Taking openCryptoki project on Linux AMD64 box as an example, you would run
-+configure script like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to run
-+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
-+output. If you see no PKCS#11 engine support check that the built openssl binary
-+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
-+
-+The patch, during various phases of development, was tested on Solaris against
-+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
-+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
-+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
-+information). Some Linux distributions even ship those libraries with the
-+system. The patch should work on any system that is supported by OpenSSL itself
-+and has functional PKCS#11 library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of the patch for 0.9.8 branch
-+=======================================
-+
-+2009-11-19
-+- adjusted for OpenSSL version 0.9.8l
-+
-+- bugs and RFEs:
-+
-+	6479874 OpenSSL should support RSA key by reference/hardware keystores
-+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
-+	6732677 make check to trigger Solaris specific code automatic in the
-+		PKCS#11 engine
-+
-+2009-03-11
-+- adjusted for OpenSSL version 0.9.8j 
-+
-+- README.pkcs11 moved out of the patch, and is shipped together with it in a
-+  tarball instead so that it can be read before the patch is applied.
-+
-+- fixed bugs:
-+
-+	6804216 pkcs#11 engine should support a key length range for RC4
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-12-02
-+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
-+
-+	6723504 more granular locking in PKCS#11 engine
-+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
-+	6710420 PKCS#11 engine source should be lint clean
-+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
-+		it seriously
-+	6746712 PKCS#11 engine source code should be cstyle clean
-+	6731380 return codes of several functions are not checked in the PKCS#11
-+		engine code
-+	6746735 PKCS#11 engine should use extended FILE space API
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-08-01
-+- fixed bug
-+
-+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
-+		and digests
-+
-+- Solaris specific code for slot selection made automatic
-+
-+2008-07-29
-+- update the patch to OpenSSL 0.9.8h version
-+- pkcs11t.h updated to the latest version:
-+
-+	6545665 make CKM_AES_CTR available to non-kernel users
-+
-+- fixed bugs in the engine code:
-+
-+	6602801 PK11_SESSION cache has to employ reference counting scheme for
-+		asymmetric key operations
-+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
-+		atomically
-+	6607307 pkcs#11 engine can't read RSA private keys
-+	6652362 pk11_RSA_finish() is cutting corners
-+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
-+		suboptimal way
-+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
-+		resilient to destroy failures
-+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
-+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
-+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
-+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
-+		of big numbers leading to failures
-+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
-+		-1
-+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
-+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
-+		checked
-+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
-+		structure reuse
-+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
-+		OPENSSL_NO_{RSA,DSA,DH}
-+	defines but fails miserably
-+	6709966 make check_new_*() to return values to indicate cache hit/miss
-+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
-+		generate_params parameter
-+	6709513 PKCS#11 engine sets IV length even for ECB modes
-+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
-+		PKCS#11 engine
-+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
-+
-+- new features and enhancements:
-+
-+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
-+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
-+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
-+		ciphers and digests
-+
-+2007-10-15
-+- update for 0.9.8f version
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+FAQs
-+====
-+
-+(1) my build failed on Linux distro with this error:
-+
-+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
-+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
-+
-+Answer:
-+
-+	- don't use "no-threads" when configuring
-+	- if you didn't then OpenSSL failed to create a threaded library by
-+	  default. You may manually edit Configure and try again. Look for the
-+	  architecture that Configure printed, for example:
-+
-+Configured for linux-elf.
-+
-+	- then edit Configure, find string "linux-elf" (inluding the quotes),
-+	  and add flags to support threads to the 4th column of the 2nd string.
-+	  If you build with GCC then adding "-pthread" should be enough. With
-+	  "linux-elf" as an example, you would add " -pthread" right after
-+	  "-D_REENTRANT", like this:
-+
-+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
-+
-+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
-+pthread_atfork() function when trying to build OpenSSL with the patch.
-+
-+Answer:
-+
-+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
-+	(as of Nov 2009). You can not use the patch there.
-+
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
-Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.5.10.1 openssl/crypto/opensslconf.h:1.5
---- openssl/crypto/opensslconf.h:1.5.10.1	Sun Jan 15 15:45:34 2012
-+++ openssl/crypto/opensslconf.h	Fri Sep  4 10:43:21 2009
-@@ -38,6 +38,9 @@
- 
- #endif /* OPENSSL_DOING_MAKEDEPEND */
- 
-+#ifndef OPENSSL_THREADS
-+# define OPENSSL_THREADS
-+#endif
- #ifndef OPENSSL_NO_DYNAMIC_ENGINE
- # define OPENSSL_NO_DYNAMIC_ENGINE
- #endif
-@@ -79,6 +82,8 @@
- # endif
- #endif
- 
-+#define OPENSSL_CPUID_OBJ
-+
- /* crypto/opensslconf.h.in */
- 
- #ifdef OPENSSL_DOING_MAKEDEPEND
-@@ -140,7 +145,7 @@
-  * This enables code handling data aligned at natural CPU word
-  * boundary. See crypto/rc4/rc4_enc.c for further details.
-  */
--#undef RC4_CHUNK
-+#define RC4_CHUNK unsigned long
- #endif
- #endif
- 
-@@ -148,7 +153,7 @@
- /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
-  * %20 speed up (longs are 8 bytes, int's are 4). */
- #ifndef DES_LONG
--#define DES_LONG unsigned long
-+#define DES_LONG unsigned int
- #endif
- #endif
- 
-@@ -162,9 +167,9 @@
- /* The prime number generation stuff may not work when
-  * EIGHT_BIT but I don't care since I've only used this mode
-  * for debuging the bignum libraries */
--#undef SIXTY_FOUR_BIT_LONG
-+#define SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
--#define THIRTY_TWO_BIT
-+#undef THIRTY_TWO_BIT
- #undef SIXTEEN_BIT
- #undef EIGHT_BIT
- #endif
-@@ -178,7 +183,7 @@
- 
- #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
- #define CONFIG_HEADER_BF_LOCL_H
--#undef BF_PTR
-+#define BF_PTR2
- #endif /* HEADER_BF_LOCL_H */
- 
- #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -208,7 +213,7 @@
- /* Unroll the inner loop, this sometimes helps, sometimes hinders.
-  * Very mucy CPU dependant */
- #ifndef DES_UNROLL
--#undef DES_UNROLL
-+#define DES_UNROLL
- #endif
- 
- /* These default values were supplied by
-Index: openssl/crypto/bio/bss_file.c
-diff -u openssl/crypto/bio/bss_file.c:1.5.6.1 openssl/crypto/bio/bss_file.c:1.5
---- openssl/crypto/bio/bss_file.c:1.5.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/bio/bss_file.c	Mon Jun 13 14:25:17 2011
-@@ -125,7 +125,7 @@
- 		{
- 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
- 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
--		if (errno == ENOENT)
-+		if ((errno == ENOENT) || ((*mode == 'r') && (errno == EACCES)))
- 			BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
- 		else
- 			BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
-Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1.6
---- openssl/crypto/engine/Makefile:1.6.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/engine/Makefile	Mon Jun 13 14:25:19 2011
-@@ -21,12 +21,14 @@
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -288,6 +290,102 @@
- eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
- eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
-+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
-+hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
-+hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
- tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
- tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
- tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-Index: openssl/crypto/engine/cryptoki.h
-diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Mon Jan 16 18:53:42 2012
-+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include <unistd.h>	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include <stdlib.h>
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.4.6.1 openssl/crypto/engine/eng_all.c:1.4
---- openssl/crypto/engine/eng_all.c:1.4.6.1	Sun Jan 15 15:45:36 2012
-+++ openssl/crypto/engine/eng_all.c	Mon Jun 13 14:25:19 2011
-@@ -110,6 +110,14 @@
- #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
- 	ENGINE_load_capi();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+	ENGINE_load_pk11ca();
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+	ENGINE_load_pk11so();
-+#endif
-+#endif
- #endif
- 	}
- 
-Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.4.6.1 openssl/crypto/engine/engine.h:1.4
---- openssl/crypto/engine/engine.h:1.4.6.1	Sun Jan 15 15:45:36 2012
-+++ openssl/crypto/engine/engine.h	Mon Jun 13 14:25:19 2011
-@@ -344,6 +344,12 @@
- void ENGINE_load_capi(void);
- #endif
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+void ENGINE_load_pk11ca(void);
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+void ENGINE_load_pk11so(void);
-+#endif
- 
- /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
-  * "registry" handling. */
-Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.2
---- /dev/null	Mon Jan 16 18:53:42 2012
-+++ openssl/crypto/engine/hw_pk11.c	Thu Jun 16 12:31:35 2011
-@@ -0,0 +1,4057 @@
-+/*
-+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+#include <openssl/aes.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+#ifndef OPENSSL_NO_HW_PK11CA
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+/* #undef	DEBUG_SLOT_SELECTION */
-+/*
-+ * Solaris specific code. See comment at check_hw_mechanisms() for more
-+ * information.
-+ */
-+#if defined(__SVR4) && defined(__sun)
-+#undef	SOLARIS_HW_SLOT_SELECTION
-+#endif
-+
-+/*
-+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
-+ * there are official OIDs for mechanisms based on this mode. With our changes,
-+ * an application can define its own EVP calls for AES counter mode and then
-+ * it can make use of hardware acceleration through this engine. However, it's
-+ * better if we keep AES CTR support code under ifdef's.
-+ */
-+#define	SOLARIS_AES_CTR
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11ca.h"
-+#include "hw_pk11_err.c"
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NIDs for AES counter mode that will be defined during the engine
-+ * initialization.
-+ */
-+static int NID_aes_128_ctr = NID_undef;
-+static int NID_aes_192_ctr = NID_undef;
-+static int NID_aes_256_ctr = NID_undef;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+/*
-+ * We use this lock to prevent multiple C_Login()s, guard getpassphrase(),
-+ * uri_struct manipulation, and static token info. All of that is used by the
-+ * RSA keys by reference feature.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *token_lock;
-+#endif
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
-+ * library. See comment at check_hw_mechanisms() for more information.
-+ */
-+static int *hw_cnids;
-+static int *hw_dnids;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * We cache the flags so that we do not have to run C_GetTokenInfo() again when
-+ * logging into the token.
-+ */
-+CK_FLAGS pubkey_token_flags;
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+#ifndef OPENSSL_NO_RSA
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
-+#endif
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh,
-+	CK_BBOOL persistent);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+#ifdef	SOLARIS_AES_CTR
-+static int pk11_add_NID(char *sn, char *ln);
-+static int pk11_add_aes_ctr_NIDs(void);
-+#endif	/* SOLARIS_AES_CTR */
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+#else
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, size_t inl);
-+#endif
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
-+    int *local_cipher_nids);
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
-+    int *local_digest_nids);
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
-+    int id);
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+static int check_hw_mechanisms(void);
-+static int nid_in_table(int nid, int *nid_table);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* Index for the supported ciphers */
-+enum pk11_cipher_id {
-+	PK11_DES_CBC,
-+	PK11_DES3_CBC,
-+	PK11_DES_ECB,
-+	PK11_DES3_ECB,
-+	PK11_RC4,
-+	PK11_AES_128_CBC,
-+	PK11_AES_192_CBC,
-+	PK11_AES_256_CBC,
-+	PK11_AES_128_ECB,
-+	PK11_AES_192_ECB,
-+	PK11_AES_256_ECB,
-+	PK11_BLOWFISH_CBC,
-+#ifdef	SOLARIS_AES_CTR
-+	PK11_AES_128_CTR,
-+	PK11_AES_192_CTR,
-+	PK11_AES_256_CTR,
-+#endif	/* SOLARIS_AES_CTR */
-+	PK11_CIPHER_MAX
-+};
-+
-+/* Index for the supported digests */
-+enum pk11_digest_id {
-+	PK11_MD5,
-+	PK11_SHA1,
-+	PK11_SHA224,
-+	PK11_SHA256,
-+	PK11_SHA384,
-+	PK11_SHA512,
-+	PK11_DIGEST_MAX
-+};
-+
-+#define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type, priv)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		  retval = pk11_destroy_object(sp->session, obj_hdl,	\
-+		  priv ? sp->priv_persistent : sp->pub_persistent);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_recover = CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st
-+	{
-+	enum pk11_cipher_id	id;
-+	int			nid;
-+	int			iv_len;
-+	int			min_key_len;
-+	int			max_key_len;
-+	CK_KEY_TYPE		key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] =
-+	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
-+		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
-+		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
-+		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
-+		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16, 256,
-+		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
-+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
-+#ifdef	SOLARIS_AES_CTR
-+	/* we don't know the correct NIDs until the engine is initialized */
-+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,  16,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,  24,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
-+		CKK_AES,	CKM_AES_CTR, },
-+#endif	/* SOLARIS_AES_CTR */
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	enum pk11_digest_id	id;
-+	int			nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] =
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
-+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
-+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
-+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/*
-+ * Structure to be used for the cipher_data/md_data in
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
-+ * session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/*
-+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
-+ * called when libcrypto requests a cipher NID.
-+ *
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc =
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc =
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
-+ * get_asn1_parameters fields are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_des_ecb =
-+	{
-+	NID_des_ecb,
-+	8, 8, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_3des_ecb =
-+	{
-+	NID_des_ede3_ecb,
-+	8, 24, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+
-+static const EVP_CIPHER pk11_aes_128_cbc =
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_cbc =
-+	{
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_cbc =
-+	{
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use IV so that's why set_asn1_parameters and
-+ * get_asn1_parameters are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_aes_128_ecb =
-+	{
-+	NID_aes_128_ecb,
-+	16, 16, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ecb =
-+	{
-+	NID_aes_192_ecb,
-+	16, 24, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ecb =
-+	{
-+	NID_aes_256_ecb,
-+	16, 32, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
-+ * created in pk11_library_init(). Note that the need to change these structures
-+ * is the reason why we don't define them with the const keyword.
-+ */
-+static EVP_CIPHER pk11_aes_128_ctr =
-+	{
-+	NID_undef,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_192_ctr =
-+	{
-+	NID_undef,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_256_ctr =
-+	{
-+	NID_undef,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+#endif	/* SOLARIS_AES_CTR */
-+
-+static const EVP_CIPHER pk11_bf_cbc =
-+	{
-+	NID_bf_cbc,
-+	8, 16, 8,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1, 16, 0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha224 =
-+	{
-+	NID_sha224,
-+	NID_sha224WithRSAEncryption,
-+	SHA224_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-224 uses the same cblock size as SHA-256 */
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha256 =
-+	{
-+	NID_sha256,
-+	NID_sha256WithRSAEncryption,
-+	SHA256_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha384 =
-+	{
-+	NID_sha384,
-+	NID_sha384WithRSAEncryption,
-+	SHA384_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-384 uses the same cblock size as SHA-512 */
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha512 =
-+	{
-+	NID_sha512,
-+	NID_sha512WithRSAEncryption,
-+	SHA512_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+#ifdef OPENSSL_NO_HW_PK11SO
-+#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
-+#endif
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name =
-+	"PKCS #11 engine support (crypto accelerator)";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * This is a static string constant for the DSO file name and the function
-+ * symbol names to bind to. We set it in the Configure script based on whether
-+ * this is 32 or 64 bit build.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
-+/* Needed in hw_pk11_pub.c as well so that's why it is not static. */
-+CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(token_lock, NULL);
-+
-+#ifndef OPENSSL_NO_RSA
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
-+#endif /* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DSA], NULL);
-+#endif /* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DH] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DH], NULL);
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, NULL);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+#ifndef OPENSSL_NO_RSA
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (find_lock[OP_DSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
-+		OPENSSL_free(find_lock[OP_DSA]);
-+		find_lock[OP_DSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (find_lock[OP_DH] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DH]);
-+		OPENSSL_free(find_lock[OP_DH]);
-+		find_lock[OP_DH] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+#ifndef OPENSSL_NO_RSA
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+#endif	/* OPENSSL_NO_RSA */
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name) ||
-+	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	    !ENGINE_set_digests(e, pk11_engine_digests))
-+		return (0);
-+#ifndef OPENSSL_NO_RSA
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (pk11_have_dsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (pk11_have_dh == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DH(e, PK11_DH()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DH */
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+/*
-+ * Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation.
-+ * Since it is used only once, performance is not a concern.
-+ */
-+#ifndef OPENSSL_NO_RSA
-+	rsa = RSA_PKCS1_SSLeay();
-+	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+	if (pk11_have_recover != CK_TRUE)
-+		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
-+#endif	/* OPENSSL_NO_RSA */
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+#error  "dynamic engine not supported"
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	LOCK_OBJSTORE(OP_DSA);
-+	LOCK_OBJSTORE(OP_DH);
-+	(void) pthread_mutex_lock(token_lock);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		(void) pthread_mutex_lock(session_cache[i].lock);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	(void) pthread_mutex_unlock(token_lock);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	(void) pthread_mutex_unlock(token_lock);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+static CK_C_INITIALIZE_ARGS pk11_init_args =
-+	{
-+	NULL_PTR,		/* CreateMutex */
-+	NULL_PTR,		/* DestroyMutex */
-+	NULL_PTR,		/* LockMutex */
-+	NULL_PTR,		/* UnlockMutex */
-+	CKF_OS_LOCKING_OK,	/* flags */
-+	NULL_PTR,		/* pReserved */
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which
-+	 * is called from ENGINE_finish(). However, if there is still
-+	 * at least one existing functional reference to the engine
-+	 * (see engine(3) for more information), pk11_finish() is
-+	 * skipped. For example, this can happen if an application
-+	 * forgets to clear one cipher context. In case of a fork()
-+	 * when the application is finishing the engine so that it can
-+	 * be reinitialized in the child, forgotten functional
-+	 * reference causes pk11_library_initialized to stay 1. In
-+	 * that case we need the PID check so that we properly
-+	 * initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+#ifdef	SOLARIS_AES_CTR
-+	/*
-+	 * We must do this before we start working with slots since we need all
-+	 * NIDs there.
-+	 */
-+	if (pk11_add_aes_ctr_NIDs() == 0)
-+		goto err;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	if (check_hw_mechanisms() == 0)
-+		goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	/*
-+	 * Disable digest if C_GetOperationState is not supported since
-+	 * this function is required by OpenSSL digest copy function
-+	 */
-+	/* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
-+	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
-+			!= CKR_OK) {
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: C_GetOperationState() not supported, "
-+		    "setting digest_count to 0\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		digest_count = 0;
-+	}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return (1);
-+	}
-+
-+/*
-+ * Termination function to clean up the session, the token, and the pk11
-+ * library.
-+ */
-+/* ARGSUSED */
-+static int pk11_finish(ENGINE *e)
-+	{
-+	int i;
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	OPENSSL_assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	/* free all active lists */
-+	for (i = 0; i < OP_MAX; i++)
-+		pk11_free_active_list(i);
-+
-+	pFuncList->C_CloseSession(global_session);
-+	global_session = CK_INVALID_HANDLE;
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects.
-+	 */
-+#if 0
-+	pFuncList->C_Finalize(NULL);
-+#endif
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = FALSE;
-+	pk11_pid = 0;
-+	/*
-+	 * There is no way how to unregister atfork handlers (other than
-+	 * unloading the library) so we just free the locks. For this reason
-+	 * the atfork handlers check if the engine is initialized and bail out
-+	 * immediately if not. This is necessary in case a process finishes
-+	 * the engine before calling fork().
-+	 */
-+	pk11_free_all_locks();
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+/* ARGSUSED */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch (cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return (0);
-+			}
-+
-+		return (set_PK11_LIBNAME((const char *)p));
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		return (1);
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: slot set\n", PK11_DBG);
-+#endif
-+		return (1);
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return (0);
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+/* ARGSUSED */
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return;
-+
-+	/*
-+	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp, OP_RAND);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
-+		pk11_return_session(sp, OP_RAND);
-+		return (0);
-+		}
-+
-+	pk11_return_session(sp, OP_RAND);
-+	return (1);
-+	}
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static int pk11_rand_status(void)
-+	{
-+	return (1);
-+	}
-+
-+/* Free all BIGNUM structures from PK11_SESSION. */
-+static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	switch (optype)
-+		{
-+#ifndef	OPENSSL_NO_RSA
-+		case OP_RSA:
-+			if (sp->opdata_rsa_n_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_n_num);
-+				sp->opdata_rsa_n_num = NULL;
-+				}
-+			if (sp->opdata_rsa_e_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_e_num);
-+				sp->opdata_rsa_e_num = NULL;
-+				}
-+			if (sp->opdata_rsa_pn_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_pn_num);
-+				sp->opdata_rsa_pn_num = NULL;
-+				}
-+			if (sp->opdata_rsa_pe_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_pe_num);
-+				sp->opdata_rsa_pe_num = NULL;
-+				}
-+			if (sp->opdata_rsa_d_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_d_num);
-+				sp->opdata_rsa_d_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DSA
-+		case OP_DSA:
-+			if (sp->opdata_dsa_pub_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_pub_num);
-+				sp->opdata_dsa_pub_num = NULL;
-+				}
-+			if (sp->opdata_dsa_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_priv_num);
-+				sp->opdata_dsa_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DH
-+		case OP_DH:
-+			if (sp->opdata_dh_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dh_priv_num);
-+				sp->opdata_dh_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+		default:
-+			break;
-+		}
-+	}
-+
-+/*
-+ * Get new PK11_SESSION structure ready for use. Every process must have
-+ * its own freelist of PK11_SESSION structures so handle fork() here
-+ * by destroying the old and creating new freelist.
-+ * The returned PK11_SESSION structure is disconnected from the freelist.
-+ */
-+PK11_SESSION *
-+pk11_get_session(PK11_OPTYPE optype)
-+	{
-+	PK11_SESSION *sp = NULL, *sp1, *freelist;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock = NULL;
-+#endif
-+	static pid_t pid = 0;
-+	pid_t new_pid;
-+	CK_RV rv;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (NULL);
-+		}
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	/*
-+	 * Will use it to find out if we forked. We cannot use the PID field in
-+	 * the session structure because we could get a newly allocated session
-+	 * here, with no PID information.
-+	 */
-+	if (pid == 0)
-+		pid = getpid();
-+
-+	freelist = session_cache[optype].head;
-+	sp = freelist;
-+
-+	/*
-+	 * If the free list is empty, allocate new unitialized (filled
-+	 * with zeroes) PK11_SESSION structure otherwise return first
-+	 * structure from the freelist.
-+	 */
-+	if (sp == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		(void) memset(sp, 0, sizeof (PK11_SESSION));
-+
-+		/*
-+		 * It is a new session so it will look like a cache miss to the
-+		 * code below. So, we must not try to to destroy its members so
-+		 * mark them as unused.
-+		 */
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		}
-+	else
-+		{
-+		freelist = sp->next;
-+		}
-+
-+	/*
-+	 * Check whether we have forked. In that case, we must get rid of all
-+	 * inherited sessions and start allocating new ones.
-+	 */
-+	if (pid != (new_pid = getpid()))
-+		{
-+		pid = new_pid;
-+
-+		/*
-+		 * We are a new process and thus need to free any inherited
-+		 * PK11_SESSION objects aside from the first session (sp) which
-+		 * is the only PK11_SESSION structure we will reuse (for the
-+		 * head of the list).
-+		 */
-+		while ((sp1 = freelist) != NULL)
-+			{
-+			freelist = sp1->next;
-+			/*
-+			 * NOTE: we do not want to call pk11_free_all_sessions()
-+			 * here because it would close underlying PKCS#11
-+			 * sessions and destroy all objects.
-+			 */
-+			pk11_free_nums(sp1, optype);
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* we have to free the active list as well. */
-+		pk11_free_active_list(optype);
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Choose slot here since the slot table is different on this
-+		 * process. If we are here then we must have found at least one
-+		 * usable slot before so we don't need to check any_slot_found.
-+		 * See pk11_library_init()'s usage of this function for more
-+		 * information.
-+		 */
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+		if (check_hw_mechanisms() == 0)
-+			goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+		if (pk11_choose_slots(NULL) == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * It is an inherited session from our parent so it needs
-+		 * re-initialization.
-+		 */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+		if (pk11_token_relogin(sp->session) == 0) 
-+			{
-+			/*
-+			 * We will keep the session in the cache list and let
-+			 * the caller cope with the situation.
-+			 */
-+			freelist = sp;
-+			sp = NULL;
-+			goto err;
-+			}
-+		}
-+
-+	if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+	/* set new head for the list of PK11_SESSION objects */
-+	session_cache[optype].head = freelist;
-+
-+err:
-+	if (sp != NULL)
-+		sp->next = NULL;
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (sp);
-+	}
-+
-+
-+void
-+pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	PK11_SESSION *freelist;
-+
-+	/*
-+	 * If this is a session from the parent it will be taken care of and
-+	 * freed in pk11_get_session() as part of the post-fork clean up the
-+	 * next time we will ask for a new session.
-+	 */
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_RETURN_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return;
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp->next = freelist;
-+	session_cache[optype].head = sp;
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	}
-+
-+
-+/* Destroy all objects. This function is called when the engine is finished */
-+static int pk11_free_all_sessions()
-+	{
-+	int ret = 1;
-+	int type;
-+
-+#ifndef OPENSSL_NO_RSA
-+	(void) pk11_destroy_rsa_key_objects(NULL);
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	(void) pk11_destroy_dsa_key_objects(NULL);
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	(void) pk11_destroy_dh_key_objects(NULL);
-+#endif	/* OPENSSL_NO_DH */
-+	(void) pk11_destroy_cipher_key_objects(NULL);
-+
-+	/*
-+	 * We try to release as much as we can but any error means that we will
-+	 * return 0 on exit.
-+	 */
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (pk11_free_session_list(type) == 0)
-+			ret = 0;
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy session structures from the linked list specified. Free as many
-+ * sessions as possible but any failure in C_CloseSession() means that we
-+ * return an error on return.
-+ */
-+static int pk11_free_session_list(PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *freelist = NULL;
-+	pid_t mypid = getpid();
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	int ret = 1;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_FREE_ALL_SESSIONS,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	while ((sp = freelist) != NULL)
-+		{
-+		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session);
-+			if (rv != CKR_OK)
-+				{
-+				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
-+					PK11_R_CLOSESESSION, rv);
-+				ret = 0;
-+				}
-+			}
-+		freelist = sp->next;
-+		pk11_free_nums(sp, optype);
-+		OPENSSL_free(sp);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	return (ret);
-+	}
-+
-+
-+static int
-+pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	CK_SLOT_ID myslot;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+			myslot = pubkey_SLOTID;
-+			break;
-+		case OP_RAND:
-+			myslot = rand_SLOTID;
-+			break;
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+			myslot = SLOTID;
-+			break;
-+		default:
-+			PK11err(PK11_F_SETUP_SESSION,
-+			    PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+	sp->session = CK_INVALID_HANDLE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
-+		{
-+		/*
-+		 * We are probably a child process so force the
-+		 * reinitialize of the session
-+		 */
-+		pk11_library_initialized = FALSE;
-+		if (!pk11_library_init(NULL))
-+			return (0);
-+		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &sp->session);
-+		}
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
-+		return (0);
-+		}
-+
-+	sp->pid = getpid();
-+
-+	switch (optype)
-+		{
-+#ifndef OPENSSL_NO_RSA
-+		case OP_RSA:
-+			sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+			sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+			sp->opdata_rsa_pub = NULL;
-+			sp->opdata_rsa_n_num = NULL;
-+			sp->opdata_rsa_e_num = NULL;
-+			sp->opdata_rsa_priv = NULL;
-+			sp->opdata_rsa_pn_num = NULL;
-+			sp->opdata_rsa_pe_num = NULL;
-+			sp->opdata_rsa_d_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+		case OP_DSA:
-+			sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
-+			sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
-+			sp->opdata_dsa_pub = NULL;
-+			sp->opdata_dsa_pub_num = NULL;
-+			sp->opdata_dsa_priv = NULL;
-+			sp->opdata_dsa_priv_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+		case OP_DH:
-+			sp->opdata_dh_key = CK_INVALID_HANDLE;
-+			sp->opdata_dh = NULL;
-+			sp->opdata_dh_priv_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_DH */
-+		case OP_CIPHER:
-+			sp->opdata_cipher_key = CK_INVALID_HANDLE;
-+			sp->opdata_encrypt = -1;
-+			break;
-+		default:
-+			break;
-+		}
-+
-+	/*
-+	 * We always initialize the session as containing a non-persistent
-+	 * object. The key load functions set it to persistent if that is so.
-+	 */
-+	sp->pub_persistent = CK_FALSE;
-+	sp->priv_persistent = CK_FALSE;
-+	return (1);
-+	}
-+
-+#ifndef OPENSSL_NO_RSA
-+/* Destroy RSA public key from single session. */
-+int
-+pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp, sp->opdata_rsa_pub_key,
-+		    ret, uselock, OP_RSA, CK_FALSE);
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		if (sp->opdata_rsa_n_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_n_num);
-+			sp->opdata_rsa_n_num = NULL;
-+			}
-+		if (sp->opdata_rsa_e_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_e_num);
-+			sp->opdata_rsa_e_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/* Destroy RSA private key from single session. */
-+int
-+pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp, sp->opdata_rsa_priv_key,
-+		    ret, uselock, OP_RSA, CK_TRUE);
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv = NULL;
-+		if (sp->opdata_rsa_d_num != NULL)