merge conflicts for bind-9.9.3-P2

2013-07-27 19:23:09 +00:00 · 2013-07-27 19:23:09 +00:00 · 31e900e600
commit 31e900e600
parent 2cdb6d11c4
299 changed files with 23910 additions and 67564 deletions
--- a/external/bsd/bind/Makefile.inc
+++ b/external/bsd/bind/Makefile.inc
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.13 2012/05/09 21:59:10 christos Exp $
+#	$NetBSD: Makefile.inc,v 1.14 2013/07/27 19:23:09 christos Exp $

 .if !defined(BIND9_MAKEFILE_INC)
 BIND9_MAKEFILE_INC=yes
@ -89,10 +89,10 @@ LIBDPLIBS+=      pthread  ${NETBSDSRCDIR}/lib/libpthread
 .endif

 .if ${NAMED_USE_OPENSSL} == "yes"
-CPPFLAGS+=-DOPENSSL
+CPPFLAGS+=-DOPENSSL -DGSSAPI -DUSE_ISC_SPNEGO
 .if !defined (LIB) || empty(LIB)
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
+LDADD+= -lgssapi -lkrb5 -lcrypto
+DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBCRYPTO}
 .else
 .if exists(${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto)
 LIBDPLIBS+=	crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto
--- a/external/bsd/bind/bin/named/Makefile
+++ b/external/bsd/bind/bin/named/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.6 2012/09/23 17:22:22 joerg Exp $
+#	$NetBSD: Makefile,v 1.7 2013/07/27 19:23:09 christos Exp $

 .include <bsd.own.mk>

@ -11,7 +11,10 @@ LINKS=	${BINDIR}/named ${BINDIR}/lwresd

 DIST=${IDIST}/bin/named
 CPPFLAGS+=-I${DIST}/include -I${DIST}/unix/include -DCONFIGARGS=\"defaults\"
-CPPFLAGS+=-DNO_VERSION_DATE
+CPPFLAGS+=-DNO_VERSION_DATE -DPRODUCT=\"BIND\" -DSRCID=\"${SRCID}\"
+CPPFLAGS+=-DDESCRIPTION=\"\(Extended\ Support\ Version\)\"
+
+.include "${IDIST}/srcid"

 .if defined(HAVE_GCC) || defined(HAVE_LLVM)
 .for f in client
--- a/external/bsd/bind/dist/CHANGES
+++ b/external/bsd/bind/dist/CHANGES
@ -1,13 +1,499 @@
-	--- 9.9.2-P1 released ---
+	--- 9.9.3-P2 released ---

-3407.	[security]	Named could die on specific queries with dns64 enabled.
-			[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
+
+	--- 9.9.3-P1 released ---
+
+3584.	[security]	Caching data from an incompletely signed zone could
+			trigger an assertion failure in resolver.c [RT #33690]
+
+	--- 9.9.3 released ---
+
+3568.	[cleanup]	Add a product description line to the version file,
+			to be reported by named -v/-V. [RT #33366]
+
+3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
+
+3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
+
+3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
+			or NOTIMP.  Adjust usage message. [RT #33363]
+
+	--- 9.9.3rc2 released ---
+
+3560.	[bug]		isc-config.sh did not honor includedir and libdir
+			when set via configure. [RT #33345]
+
+3559.	[func]		Check that both forms of Sender Policy Framework
+			records exist or do not exist. [RT #33355]
+
+3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
+
+3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
+
+3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
+
+3555.	[bug]		Address theoretical race conditions in acache.c
+			(change #3553 was incomplete). [RT #33252]
+
+3553.	[bug]		Address suspected double free in acache. [RT #33252]
+
+3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
+			[RT #33280]
+
+3549.	[doc]		Documentation for "request-nsid" was missing.
+			[RT #33153]
+
+3548.	[bug]		The NSID request code in resolver.c was broken
+			resulting in invalid EDNS options being sent.
+			[RT #33153]
+
+3547.	[bug]		Some malformed unknown rdata records were not properly
+			detected and rejected. [RT #33129]
+
+	--- 9.9.3rc1 released ---
+
+3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
+
+3544.	[contrib]	check5011.pl: Script to report the status of
+			managed keys as recorded in managed-keys.bind.
+			Contributed by Tony Finch <dot@dotat.at>
+
+3543.	[bug]		Update socket structure before attaching to socket
+			manager after accept. [RT #33084]
+
+3541.	[bug]		Parts of libdns were not properly initialized when
+			built in libexport mode. [RT #33028]
+
+3540.	[test]		libt_api: t_info and t_assert were not thread safe.
+
+3539.	[port]		win32: timestamp format didn't match other platforms.
+
+3538.	[test]		Running "make test" now requires loopback interfaces
+			to be set up. [RT #32452]
+
+3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
+			to peers before being dumped to disk rather than
+			after. [RT #27242]
+
+3535.	[bug]		Minor win32 cleanups. [RT #32962]
+
+3534.	[bug]		Extra text after an embedded NULL was ignored when
+			parsing zone files. [RT #32699]
+
+3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
+
+3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+3531.	[bug]		win32: A uninitialized value could be returned on out
+			of memory. [RT #32960]
+
+3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
+
+3528.	[func]		New "dnssec-coverage" command scans the timing
+			metadata for a set of DNSSEC keys and reports if a
+			lapse in signing coverage has been scheduled
+			inadvertently. (Note: This tool depends on python;
+			it will not be built or installed on systems that
+			do not have a python interpreter.) [RT #28098]
+
+3527.	[compat]	Add a URI to allow applications to explicitly
+			request a particular XML schema from the statistics
+			channel, returning 404 if not supported. [RT #32481]
+
+3526.	[cleanup]	Set up dependencies for unit tests correctly during
+			build. [RT #32803]
+
+3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+3520.	[bug]		'mctx' was not being referenced counted in some places
+			where it should have been.  [RT #32794]
+
+	--- 9.9.3b2 released ---
+
+3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
+
+3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
+
+3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
+			rndc-confgen were too constrained. Keys up to 512
+			bits are now allowed for most algorithms, and up
+			to 1024 bits for hmac-sha384 and hmac-sha512.
+			[RT #32753]
+
+3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
+
+3509.	[cleanup]	Added a product line to version file to allow for
+			easy naming of different products (BIND
+			vs BIND ESV, for example). [RT #32755]
+
+3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
+			[RT #32338]
+
+3507.	[bug]		Statistics channel XSL (when built with
+			--enable-newstats) had a glitch when attempting
+			to chart query data before any queries had been
+			received. [RT #32620]
+
+3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
+			larger values than 4 gigabytes could not be set
+			explicitly, though larger sizes were available
+			when setting cache size to 0. This has been
+			corrected; the full range is now available.
+			[RT #32358]
+
+3503.	[doc]		Clarify size_spec syntax. [RT #32449]
+
+3501.	[func]		zone-statistics now takes three options: full,
+			terse, and none. "yes" and "no" are retained as
+			synonyms for full and terse, respectively. [RT #29165]
+
+3500.	[security]	Support NAPTR regular expression validation on
+			all platforms without using libregex, which
+			can be vulnerable to memory exhaustion attack
+			(CVE-2013-2266). [RT #32688]
+
+3499.	[doc]		Corrected ARM documentation of built-in zones.
+			[RT #32694]
+
+3498.	[bug]		zone statistics for zones which matched a potential
+			empty zone could have their zone-statistics setting
+			overridden.
+
+3496.	[func]		Improvements to RPZ performance. The "response-policy"
+			syntax now includes a "min-ns-dots" clause, with
+			default 1, to exclude top-level domains from
+			NSIP and NSDNAME checking. --enable-rpz-nsip and
+			--enable-rpz-nsdname are now the default. [RT #32251]
+
+3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
+			contributed by Mark Goldfinch. [RT #32549]
+
+3492.	[bug]		Fixed a regression in zone loading performance
+			due to lock contention. [RT #30399]
+
+3491.	[bug]		Slave zones using inline-signing must specify a
+			file name. [RT #31946]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			When cloning a rdataset do not copy the link contents.
+			[RT #32651]
+
+3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
+
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+			[RT #32629]
+
+3486.	[bug]		named could crash when using TKEY-negotiated keys
+			that had been deleted and then recreated. [RT #32506]
+
+3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
+
+3483.	[bug]		Corrected XSL code in use with --enable-newstats.
+			[RT #32587]
+
+3481.	[cleanup]	Removed use of const const in atf.
+
+3480.	[bug]		Silence logging noise when setting up zone
+			statistics. [RT #32525]
+
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
+3478.	[port]		Fix a build failure in strict C99 environments
+			[RT #32475]
+
+3474.	[bug]		nsupdate could assert when the local and remote
+			address families didn't match. [RT #22897]
+
+3473.	[bug]		dnssec-signzone/verify could incorrectly report
+			an error condition due to an empty node above an
+			opt-out delegation lacking an NSEC3. [RT #32072]
+
+3471.	[bug]		The number of UDP dispatches now defaults to
+			the number of CPUs even if -n has been set to
+			a higher value. [RT #30964]
+
+3470.	[bug]		Slave zones could fail to dump when successfully
+			refreshing after an initial failure. [RT #31276]
+
+	--- 9.9.3b1 released ---
+
+3468.	[security]	RPZ rules to generate A records (but not AAAA records)
+			could trigger an assertion failure when used in
+			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+
+3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
+			to check for delete date < inactive date. [RT #31719]
+
+3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+			in DLZ example driver. [RT #32275]
+
+3465.	[bug]		Handle isolated reserved ports. [RT #31778]
+
+3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
+			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
+
+3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
+
+3462.	[doc]		Clarify server selection behavior of dig when using
+			-4 or -6 options. [RT #32181]
+
+3461.	[bug]		Negative responses could incorrectly have AD=1
+			set. [RT #32237]
+
+3460.	[bug]		Only link against readline where needed. [RT #29810]
+
+3458.	[bug]		Return FORMERR when presented with a overly long
+			domain named in a request. [RT #29682]
+
+3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
+
+3456.	[port]		g++47: ATF failed to compile. [RT #32012]
+
+3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
+
+3454.	[port]		sparc64: improve atomic support. [RT #25182]
+
+3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
+			failed. [RT #31960]
+
+3452.	[bug]		Accept duplicate singleton records. [RT #32329]
+
+3451.	[port]		Increase per thread stack size from 64K to 1M.
+			[RT #32230]
+
+3450.	[bug]		Stop logfileconfig system test spam system logs.
+			[RT #32315]
+
+3449.	[bug]		gen.c: use the pre-processor to construct format
+			strings so that compiler can perform sanity checks;
+			check the snprintf results. [RT #17576]
+
+3448.	[bug]		The allow-query-on ACL was not processed correctly.
+			[RT #29486]
+
+3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
+
+3446.	[port]		win32: Add source ID (see change #3400) to build.
+			[RT #31683]
+
+3445.	[bug]		Warn about zone files with blank owner names
+			immediately after $ORIGIN directives. [RT #31848]
+
+3444.	[bug]		The NOQNAME proof was not being returned from cached
+			insecure responses. [RT #21409]
+
+3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
+			rejected when generating keys. [RT #31927]
+
+3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
+			change. [RT #32216]
+
+3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
+
+3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
+			cleaning up due to out of memory error. [RT #32131]
+
+3439.	[bug]		contrib/dlz error checking fixes. [RT #32102]
+
+3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
+
+3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
+			buffers with constant data. [RT #32064]
+
+3436.	[bug]		Check malloc/calloc return values. [RT #32088]
+
+3435.	[bug]		Cross compilation support in configure was broken.
+			[RT #32078]
+
+3431.	[bug]		ddns-confgen: Some valid key algorithms were
+			not accepted. [RT #31927]
+
+3430.	[bug]		win32: isc_time_formatISO8601 was missing the
+			'T' between the date and time. [RT #32044]
+
+3429.	[bug]		dns_zone_getserial2 could a return success without
+			returning a valid serial. [RT #32007]
+
+3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
+
+3427.	[bug]		dig +trace incorrectly displayed name server
+			addresses instead of names. [RT #31641]
+
+3426.	[bug]		dnssec-checkds: Clearer output when records are not
+			found. [RT #31968]
+
+3425.	[bug]		"acacheentry" reference counting was broken resulting
+			in use after free. [RT #31908]
+
+3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
+			[RT #31951]
+
+3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
+			range of possible values.  Address portability issues.
+			[RT #31938]
+
+3422.	[bug]		Added a clear error message for when the SOA does not
+			match the referral. [RT #31281]
+
+3421.	[bug]		Named loops when re-signing if all keys are offline.
+			[RT #31916]
+
+3420.	[bug]		Address VPATH compilation issues. [RT #31879]
+
+3419.	[bug]		Memory leak on validation cancel. [RT #31869]
+
+3417.	[func]		Optional new XML schema (version 3.0) for the
+			statistics channel adds query type statistics at the
+			zone level, and flattens the XML tree and uses
+			compressed format to optimize parsing. Includes new XSL
+			that permits charting via the Google Charts API on
+			browsers that support javascript in XSL.  To enable,
+			build with "configure --enable-newstats". [RT #30023]
+
+3416.	[bug]		Named could die on shutdown if running with 128 UDP
+			dispatches per interface. [RT #31743]
+
+3415.	[bug]		named could die with a REQUIRE failure if a validation
+			was canceled. [RT #31804]
+
+3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
+
+3412.	[bug]		Copy timeval structure from control message data.
+			[RT #31548]
+
+3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
+			to UDP. [RT #31690]
+
+3410.	[bug]		Addressed Coverity warnings. [RT #31626]
+
+3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+			from X.509 certificates, for use with DANE
+			(DNS-based Authentication of Named Entities).
+			[RT #30513]
+
+3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
+			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+			are now legal in slave zones as long as
+			inline-signing is in use. [RT #31078]
+
+3406.	[bug]		mem.c: Fix compilation errors when building with
+			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
+3405.	[bug]		Handle time going backwards in acache. [RT #31253]
+
+3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
+			RRSIG and NSEC records from nodes that used to be
+			in-zone but are now below a zone cut. [RT #31556]
+
+3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
+
+3402.	[test]		The IPv6 interface numbers used for system
+			tests were incorrect on some platforms. [RT #25085]
+
+3401.	[bug]		Addressed Coverity warnings. [RT #31484]
+
+3400.	[cleanup]	"named -V" can now report a source ID string, defined
+			in the "srcid" file in the build tree and normally set
+			to the most recent git hash.  [RT #31494]
+
+3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
+			clash.  [RT #31515]
+
+3398.	[bug]		SOA parameters were not being updated with inline
+			signed zones if the zone was modified while the
+			server was offline. [RT #29272]
+
+3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
+
+3396.	[bug]		OPT records were incorrectly removed from signed,
+			truncated responses. [RT #31439]
+
+3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
+			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
+			[RT #31336]
+
+3394.	[bug]		Adjust 'successfully validated after lower casing
+			signer' log level and category. [RT #31414]
+
+3393.	[bug]		'host -C' could core dump if REFUSED was received.
+			[RT #31381]
+
+3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
+			[RT #31262]
+
+3390.	[bug]		Silence clang compiler warnings. [RT #30417]
+
+3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
+
+3388.	[bug]		Fixed several Coverity warnings.
+			Note: This change includes a fix for a bug that
+			was subsequently determined to be an exploitable
+			security vulnerability, CVE-2012-5688: named could
+			die on specific queries with dns64 enabled.
+			[RT #30996]
+
+3386.	[bug]		Address locking violation when generating new NSEC /
+			NSEC3 chains. [RT #31224]
+
+3385.	[bug]		named-checkconf didn't detect missing master lists
+			in also-notify clauses. [RT #30810]
+
+3384.	[bug]		Improved logging of crypto errors. [RT #30963]
+
+3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
+			if set, regardless of the address family in use.
+			[RT #24173]
+
+3381.	[contrib]	Update queryperf to support more RR types.
+			[RT #30762]
+
+3380.	[bug]		named could die if a nonexistent master list was
+			referenced in a also-notify. [RT #31004]
+
+3379.	[bug]		isc_interval_zero and isc_time_epoch should be
+			"const (type)* const". [RT #31069]
+
+3378.	[bug]		Handle missing 'managed-keys-directory' better.
+			[RT #30625]
+
+3377.	[bug]		Removed spurious newline from NSEC3 multiline
+			output. [RT #31044]
+
+3376.	[bug]		Lack of EDNS support was being recorded without a
+			successful response. [RT #30811]
+
+3375.	[func]		Check that 'rndc dumpdb' works on a empty cache.
+			[RT #30808]
+
+3374.	[bug]		isc_parse_uint32 failed to return a range error on
+			systems with 64 bit longs. [RT #30232]
+
+3372.	[bug]		Silence spurious "deleted from unreachable cache"
+			messages.  [RT #30501]
+
+3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
+			add NS RRsets to the additional section or not.
+			[RT #30479]
+
+3316.	[tuning]	Improved locking performance when recursing.
+			[RT #28836]
+
+3315.	[tuning]	Use multiple dispatch objects for sending upstream
+			queries; this can improve performance on busy
+			multiprocessor systems by reducing lock contention.
+			[RT #28605]

 	--- 9.9.2 released ---

 3383.	[security]	A certain combination of records in the RBT could
-                        cause named to hang while populating the additional
-                        section of a response. [RT #31090]
+			cause named to hang while populating the additional
+			section of a response. [RT #31090]

 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]

@ -124,7 +610,7 @@
 			to get an answer. [RT #29492]

 3334.	[bug]		Hold a zone table reference while performing a
-			asyncronous load of a zone. [RT #28326]
+			asynchronous load of a zone. [RT #28326]

 3333.	[bug]		Setting resolver-query-timeout too low can cause
 			named to not recover if it loses connectivity.
@ -164,11 +650,11 @@
 	--- 9.9.1 released ---

 3318.	[tuning]	Reduce the amount of work performed while holding a
-			bucket lock when finshed with a fetch context.
+			bucket lock when finished with a fetch context.
 			[RT #29239]

-3314.	[bug]		The masters list could be updated while refesh_callback
-			and stub_callback were using it. [RT #26732]
+3314.	[bug]		The masters list could be updated while stub_callback
+			or refresh_callback were using it. [RT #26732]

 3313.	[protocol]	Add TLSA record type. [RT #28989]

@ -180,7 +666,7 @@

 3310.	[test]		Increase table size for mutex profiling. [RT #28809]

-3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
+3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 			[RT #27995]

 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
@ -396,7 +882,7 @@
 			have different serial numbers.

 			(Note: raw zonefiles generated by this version of
-			BIND are no longer compatble with prior versions.
+			BIND are no longer compatible with prior versions.
 			To generate a backward-compatible raw zonefile
 			using dnssec-signzone or named-compilezone, specify
 			output format "raw=0" instead of simply "raw".)
@ -430,7 +916,7 @@
 3232.	[bug]		Zero zone->curmaster before return in
 			dns_zone_setmasterswithkeys(). [RT #26732]

-3231.	[bug]		named could fail to send a uncompressable zone.
+3231.	[bug]		named could fail to send a incompressible zone.
 			[RT #26796]

 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
@ -458,7 +944,7 @@
 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 			dns_journal_{get,set}_sourceserial. [RT #26634]

-3221.	[bug]		Fixed a potential coredump on shutdown due to
+3221.	[bug]		Fixed a potential core dump on shutdown due to
 			referencing fetch context after it's been freed.
 			[RT #26720]

@ -498,7 +984,7 @@

 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]

-3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
+3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 			[RT #25522]

 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
@ -506,7 +992,7 @@
 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

 3205.	[func]		Upgrade dig's defaults to better reflect modern
-			nameserver behaviour.  Enable "dig +adflag" and
+			nameserver behavior.  Enable "dig +adflag" and
 			"dig +edns=0" by default.  Enable "+dnssec" when
 			running "dig +trace". [RT #23497]

@ -517,7 +1003,7 @@
 3203.	[bug]		Increase log level to 'info' for validation failures
 			from expired or not-yet-valid RRSIGs. [RT #21796]

-3202.	[bug]		NOEDNS caching on timeout was too agressive.
+3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 			[RT #26416]

 3201.	[func]		'rndc querylog' can now be given an on/off parameter
@ -969,7 +1455,7 @@
 			key.  When possible, automatic signing will use that
 			TTL when the key is published.  [RT #23304]

-3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 			timestamp when determining which keys are active.
 			[RT #23642]

@ -983,7 +1469,7 @@
 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 			[RT #20256]

-3071.	[bug]		has_nsec could be used unintialised in
+3071.	[bug]		has_nsec could be used uninitialized in
 			update.c:next_active. [RT #20256]

 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
@ -1052,7 +1538,7 @@

 3052.	[test]		Fixed last autosign test report. [RT #23256]

-3051.	[bug]		NS records obsure DNAME records at the bottom of the
+3051.	[bug]		NS records obscure DNAME records at the bottom of the
 			zone if both are present. [RT #23035]

 3050.	[bug]		The autosign system test was timing dependent.
@ -1062,7 +1548,7 @@
 3049.	[bug]		Save and restore the gid when creating creating
 			named.pid at startup. [RT #23290]

-3048.	[bug]		Fully separate view key mangement. [RT #23419]
+3048.	[bug]		Fully separate view key management. [RT #23419]

 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 			validator.c. Tests added to dnssec system test.
@ -1402,7 +1888,7 @@
 			no data response. [RT #21744]

 2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialise winsock. [RT #21932]
+			to initialize winsock. [RT #21932]

 2951.	[bug]		named failed to generate a correct signed response
 			in a optout, delegation only zone with no secure
@ -1448,7 +1934,7 @@
 			in use. [RT# 21868]

 2938.	[bug]		When generating signed responses, from a signed zone
-			that uses NSEC3, named would use a uninitialised
+			that uses NSEC3, named would use a uninitialized
 			pointer if it needed to skip a NSEC3 record because
 			it didn't match the selected NSEC3PARAM record for
 			zone. [RT# 21868]
@ -1502,7 +1988,7 @@
 			revisit the issue and complete the fix later.
 			[RT #21710]

-2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 			allow dynamic addition and deletion of zones.
 			To enable this feature, specify a "new-zone-file"
 			option at the view or options level in named.conf.
@ -1678,7 +2164,7 @@
 			successfully responds to the query using plain DNS.
 			[RT #20930]

-2873.	[bug]		Cancelling a dynamic update via the dns/client module
+2873.	[bug]		Canceling a dynamic update via the dns/client module
 			could trigger an assertion failure. [RT #21133]

 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
@ -1720,7 +2206,7 @@

 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

-2859.	[bug]		When cancelling validation it was possible to leak
+2859.	[bug]		When canceling validation it was possible to leak
 			memory. [RT #20800]

 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
@ -2273,7 +2759,7 @@

 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 			DHCP.  Modify the api to isc_sockfdwatch_t (the
-			callback functon for isc_socket_fdwatchcreate)
+			callback function for isc_socket_fdwatchcreate)
 			to include information about the direction (read
 			or write) and add isc_socket_fdwatchpoke.
 			[RT #20253]
@ -2338,7 +2824,7 @@
 			  sets the time when a key is no longer used for
 			  signing but is still published.
 			- The "unpublished" date (-U) is deprecated in
-			  favour of "deleted" (-D).
+			  favor of "deleted" (-D).
 			[RT #20247]

 2676.	[bug]		--with-export-installdir should have been
@ -2784,7 +3270,7 @@

 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

-2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
+2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
 			[RT #19340]

 2551.	[bug]		Potential Reference leak on return. [RT #19341]
@ -2837,7 +3323,7 @@

 2534.	[func]		Check NAPTR records regular expressions and
 			replacement strings to ensure they are syntactically
-			valid and consistant. [RT #18168]
+			valid and consistent. [RT #18168]

 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

--- a/external/bsd/bind/dist/REDIRECT-NOTES
+++ b/external/bsd/bind/dist/REDIRECT-NOTES
@ -1,35 +0,0 @@
-Redirect zones are used to find answers to queries when normal resolution
-would result in NXDOMAIN being returned.  Only one redirect zone per view
-is currently supported.
-
-To redirect to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2 on NXDOMAIN
-one would configure the redirect zone like this.
-
-zone "." {
-	type redirect;
-	file "redirect.db";
-};
-
-redirect.db:
-$TTL 300
-@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
-@ IN NS ns.example.net
-;
-; NS records do not need address records in this zone as it is not in the
-; normal namespace.
-;
-*. IN A 100.100.100.2
-*. IN AAAA 2001:ffff:ffff::100.100.100.2
-
-To redirect all Spanish names (under .ES) one would use entries like these:
-
-*.ES. IN A 100.100.100.3
-*.ES. IN AAAA 2001:ffff:ffff::100.100.100.3
-
-To redirect all commercial Spanish names (under COM.ES) one would use
-entries like these:
-*.COM.ES. IN A 100.100.100.4
-*.COM.ES. IN AAAA 2001:ffff:ffff::100.100.100.4
-
-The redirect zone supports all possible types.  It is not limited to
-A and AAAA record.
--- a/external/bsd/bind/dist/bin/check/check-tool.c
+++ b/external/bsd/bind/dist/bin/check/check-tool.c
@ -1,7 +1,7 @@
-/*	$NetBSD: check-tool.c,v 1.4 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: check-tool.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -198,6 +198,10 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 		a->type == dns_rdatatype_a);
 	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
 		aaaa->type == dns_rdatatype_aaaa);
+
+	if (a == NULL || aaaa == NULL)
+		return (answer);
+
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
 	hints.ai_family = PF_UNSPEC;
@ -260,8 +264,7 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 		}
 		return (ISC_TRUE);
 	}
-	if (a == NULL || aaaa == NULL)
-		return (answer);
+
 	/*
 	 * Check that all glue records really exist.
 	 */
@ -599,7 +602,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,

 	dns_zone_settype(zone, dns_zone_master);

-	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkconf.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -296,6 +296,18 @@ configure_zone(const char *vclass, const char *view,
 			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
 	}

+	obj = NULL;
+	if (get_maps(maps, "check-spf", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKSPF;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKSPF;
+	}
+
 	obj = NULL;
 	if (get_checknames(maps, &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@ -474,6 +486,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();

--- a/external/bsd/bind/dist/bin/check/named-checkzone.8
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.8
@ -1,6 +1,6 @@
-.\"	$NetBSD: named-checkzone.8,v 1.3 2012/06/05 00:38:49 christos Exp $
+.\"	$NetBSD: named-checkzone.8,v 1.4 2013/07/27 19:23:09 christos Exp $
 .\"
-.\" Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@ -35,9 +35,9 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
@ -251,6 +251,14 @@ Chroot to
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
 .RE
 .PP
+\-T \fImode\fR
+.RS 4
+Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
+\fB"warn"\fR
+(default),
+\fB"ignore"\fR.
+.RE
+.PP
 \-w \fIdirectory\fR
 .RS 4
 chdir to
@ -296,7 +304,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/check/named-checkzone.c
+++ b/external/bsd/bind/dist/bin/check/named-checkzone.c
@ -1,7 +1,7 @@
-/*	$NetBSD: named-checkzone.c,v 1.4 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: named-checkzone.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -156,19 +156,21 @@ main(int argc, char **argv) {
 	if (progmode == progmode_compile) {
 		zone_options |= (DNS_ZONEOPT_CHECKNS |
 				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF |
 				 DNS_ZONEOPT_CHECKDUPRR |
 				 DNS_ZONEOPT_CHECKNAMES |
 				 DNS_ZONEOPT_CHECKNAMESFAIL |
 				 DNS_ZONEOPT_CHECKWILDCARD);
 	} else
-		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKSPF);

 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)

 	isc_commandline_errprint = ISC_FALSE;

 	while ((c = isc_commandline_parse(argc, argv,
-			       "c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:W:"))
+			       "c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@ -385,6 +387,18 @@ main(int argc, char **argv) {
 			}
 			break;

+		case 'T':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKSPF;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+			} else {
+				fprintf(stderr, "invalid argument to -T: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'W':
 			if (ARGCMP("warn"))
 				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
@ -396,6 +410,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();

--- a/external/bsd/bind/dist/bin/confgen/keygen.c
+++ b/external/bsd/bind/dist/bin/confgen/keygen.c
@ -1,7 +1,7 @@
-/*	$NetBSD: keygen.c,v 1.3 2012/06/05 00:38:51 christos Exp $	*/
+/*	$NetBSD: keygen.c,v 1.4 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -128,13 +128,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,

 	switch (alg) {
 	    case DST_ALG_HMACMD5:
+	    case DST_ALG_HMACSHA1:
+	    case DST_ALG_HMACSHA224:
+	    case DST_ALG_HMACSHA256:
 		if (keysize < 1 || keysize > 512)
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
 		break;
-	    case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 256)
-			fatal("keysize %d out of range (must be 1-256)\n",
+	    case DST_ALG_HMACSHA384:
+	    case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024)
+			fatal("keysize %d out of range (must be 1-1024)\n",
 			      keysize);
 		break;
 	    default:
--- a/external/bsd/bind/dist/bin/confgen/rndc-confgen.c
+++ b/external/bsd/bind/dist/bin/confgen/rndc-confgen.c
@ -1,7 +1,7 @@
-/*	$NetBSD: rndc-confgen.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: rndc-confgen.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2001, 2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -143,8 +143,6 @@ main(int argc, char **argv) {
 			keysize = strtol(isc_commandline_argument, &p, 10);
 			if (*p != '\0' || keysize < 0)
 				fatal("-b requires a non-negative number");
-			if (keysize < 1 || keysize > 512)
-				fatal("-b must be in the range 1 through 512");
 			break;
 		case 'c':
 			keyfile = isc_commandline_argument;
--- a/external/bsd/bind/dist/bin/dig/dig.1
+++ b/external/bsd/bind/dist/bin/dig/dig.1
@ -1,6 +1,6 @@
-.\"	$NetBSD: dig.1,v 1.4 2012/06/05 00:38:52 christos Exp $
+.\"	$NetBSD: dig.1,v 1.5 2013/07/27 19:23:09 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@ -59,7 +59,9 @@ allows multiple lookups to be issued from the command line.
 Unless it is told to query a specific name server,
 \fBdig\fR
 will try each of the servers listed in
-\fI/etc/resolv.conf\fR.
+\fI/etc/resolv.conf\fR. If no usable server addreses are found,
+\fBdig\fR
+will send the query to the local host.
 .PP
 When no command line arguments or options are given,
 \fBdig\fR
@ -97,13 +99,20 @@ is the name or IP address of the name server to query. This can be an IPv4 addre
 \fIserver\fR
 argument is a hostname,
 \fBdig\fR
-resolves that name before querying that name server. If no
+resolves that name before querying that name server.
+.sp
+If no
 \fIserver\fR
 argument is provided,
 \fBdig\fR
 consults
-\fI/etc/resolv.conf\fR
-and queries the name servers listed there. The reply from the name server that responds is displayed.
+\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
+\fB\-4\fR
+or
+\fB\-6\fR
+options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
+\fBdig\fR
+will send the query to the local host. The reply from the name server that responds is displayed.
 .RE
 .PP
 \fBname\fR
@ -590,7 +599,7 @@ RFC1035.
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dig/dig.c
+++ b/external/bsd/bind/dist/bin/dig/dig.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dig.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: dig.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -190,7 +190,7 @@ help(void) {
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
-"                 +edns=###           (Set EDNS version) [0]\n"
+"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
 "                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
@ -247,6 +247,8 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_uint64_t diff;
 	isc_time_t now;
 	time_t tnow;
+	struct tm tmnow;
+	char time_str[100];
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];

 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@ -258,7 +260,10 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		printf(";; Query time: %ld msec\n", (long int)diff/1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
-		printf(";; WHEN: %s", ctime(&tnow));
+		tmnow  = *localtime(&tnow);
+		if (strftime(time_str, sizeof(time_str),
+			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+			printf(";; WHEN: %s\n", time_str);
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
 			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@ -266,7 +271,6 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			       query->byte_count);
 		} else {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
-
 		}
 		if (key != NULL) {
 			if (!validated)
@ -283,7 +287,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		       "from %s(%s) in %d ms\n\n",
 		       query->lookup->doing_xfr ?
 				query->byte_count : (isc_uint64_t)bytes,
-		       fromtext, query->servname,
+		       fromtext, query->userarg,
 		       (int)diff/1000);
 	}
 }
@ -546,6 +550,13 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				printf(";; WARNING: recursion requested "
 				       "but not available\n");
 		}
+		if (msg != query->lookup->sendmsg &&
+		    query->lookup->edns != -1 && msg->opt == NULL &&
+		    (msg->rcode == dns_rcode_formerr ||
+		     msg->rcode == dns_rcode_notimp))
+			printf("\n;; WARNING: EDNS query returned status "
+			       "%s - retry with '+noedns'\n",
+			       rcode_totext(msg->rcode));
 		if (msg != query->lookup->sendmsg && extrabytes != 0U)
 			printf(";; WARNING: Messages has %u extra byte%s at "
 			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
@ -877,8 +888,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			lookup->edns = -1;
 			break;
 		}
-		if (value == NULL)
-			goto need_value;
+		if (value == NULL) {
+			lookup->edns = 0;
+			break;
+		}
 		result = parse_uint(&num, value, 255, "edns");
 		if (result != ISC_R_SUCCESS)
 			fatal("Couldn't parse edns");
--- a/external/bsd/bind/dist/bin/dig/dighost.c
+++ b/external/bsd/bind/dist/bin/dig/dighost.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dighost.c,v 1.9 2012/06/05 00:38:53 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.10 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -793,6 +793,7 @@ make_empty_lookup(void) {
 	looknew->need_search = ISC_FALSE;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
+	ISC_LIST_INIT(looknew->connecting);
 	ISC_LIST_INIT(looknew->my_server_list);
 	return (looknew);
 }
@ -814,11 +815,11 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {

 	looknew = make_empty_lookup();
 	INSIST(looknew != NULL);
-	strncpy(looknew->textname, lookold->textname, MXNAME);
+	strlcpy(looknew->textname, lookold->textname, MXNAME);
 #if DIG_SIGCHASE_TD
-	strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
+	strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
 #endif
-	strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
+	strlcpy(looknew->cmdline, lookold->cmdline, MXNAME);
 	looknew->textname[MXNAME-1] = 0;
 	looknew->rdtype = lookold->rdtype;
 	looknew->qrdtype = lookold->qrdtype;
@ -995,7 +996,7 @@ parse_hmac(const char *hmac) {
 	len = strlen(hmac);
 	if (len >= (int) sizeof(buf))
 		fatal("unknown key type '%.*s'", len, hmac);
-	strncpy(buf, hmac, sizeof(buf));
+	strlcpy(buf, hmac, sizeof(buf));

 	digestbits = 0;

@ -1077,8 +1078,8 @@ read_confkey(void) {
 	secretstr = cfg_obj_asstring(secretobj);
 	algorithm = cfg_obj_asstring(algorithmobj);

-	strncpy(keynametext, keyname, sizeof(keynametext));
-	strncpy(keysecret, secretstr, sizeof(keysecret));
+	strlcpy(keynametext, keyname, sizeof(keynametext));
+	strlcpy(keysecret, secretstr, sizeof(keysecret));
 	parse_hmac(algorithm);
 	setup_text_key();

@ -1161,7 +1162,7 @@ make_searchlist_entry(char *domain) {
 	if (search == NULL)
 		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
-	strncpy(search->origin, domain, MXNAME);
+	strlcpy(search->origin, domain, MXNAME);
 	search->origin[MXNAME-1] = 0;
 	ISC_LINK_INIT(search, link);
 	return (search);
@ -1470,7 +1471,10 @@ clear_query(dig_query_t *query) {
 	if (lookup->current_query == query)
 		lookup->current_query = NULL;

-	ISC_LIST_UNLINK(lookup->q, query, link);
+	if (ISC_LINK_LINKED(query, link))
+		ISC_LIST_UNLINK(lookup->q, query, link);
+	if (ISC_LINK_LINKED(query, clink))
+		ISC_LIST_UNLINK(lookup->connecting, query, clink);
 	if (ISC_LINK_LINKED(&query->recvbuf, link))
 		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
 				 link);
@ -1478,6 +1482,7 @@ clear_query(dig_query_t *query) {
 		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
 				 link);
 	INSIST(query->recvspace != NULL);
+
 	if (query->sock != NULL) {
 		isc_socket_detach(&query->sock);
 		sockcount--;
@ -1505,13 +1510,22 @@ try_clear_lookup(dig_lookup_t *lookup) {

 	debug("try_clear_lookup(%p)", lookup);

-	if (ISC_LIST_HEAD(lookup->q) != NULL) {
+	if (ISC_LIST_HEAD(lookup->q) != NULL ||
+	    ISC_LIST_HEAD(lookup->connecting) != NULL)
+	{
 		if (debugging) {
 			q = ISC_LIST_HEAD(lookup->q);
 			while (q != NULL) {
 				debug("query to %s still pending", q->servname);
 				q = ISC_LIST_NEXT(q, link);
 			}
+
+			q = ISC_LIST_HEAD(lookup->connecting);
+			while (q != NULL) {
+				debug("query to %s still connecting",
+				      q->servname);
+				q = ISC_LIST_NEXT(q, clink);
+			}
 		}
 		return (ISC_FALSE);
 	}
@ -1639,7 +1653,7 @@ start_lookup(void) {
 				= current_lookup->rdclassset;
 			current_lookup->rdclass = dns_rdataclass_in;

-			strncpy(current_lookup->textnamesigchase,
+			strlcpy(current_lookup->textnamesigchase,
 				current_lookup->textname, MXNAME);

 			current_lookup->trace_root_sigchase = ISC_TRUE;
@ -1651,7 +1665,7 @@ start_lookup(void) {
 			check_result(result, "dns_name_totext");
 			isc_buffer_usedregion(b, &r);
 			r.base[r.length] = '\0';
-			strncpy(current_lookup->textname, (char*)r.base,
+			strlcpy(current_lookup->textname, (char*)r.base,
 				MXNAME);
 			isc_buffer_free(&b);

@ -2288,7 +2302,6 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->rr_count = 0;
 		query->msg_count = 0;
 		query->byte_count = 0;
-		ISC_LINK_INIT(query, link);
 		ISC_LIST_INIT(query->recvlist);
 		ISC_LIST_INIT(query->lengthlist);
 		query->sock = NULL;
@ -2301,6 +2314,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		isc_buffer_init(&query->slbuf, query->slspace, 2);
 		query->sendbuf = lookup->renderbuf;

+		ISC_LINK_INIT(query, clink);
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
 	}
@ -2343,7 +2357,7 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	query->waiting_senddone = ISC_FALSE;
 	l = query->lookup;

-	if (l->ns_search_only && !l->trace_root) {
+	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
 		if (next != NULL)
@ -2422,6 +2436,7 @@ static void
 force_timeout(dig_lookup_t *l, dig_query_t *query) {
 	isc_event_t *event;

+	debug("force_timeout ()");
 	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
 				   connect_timeout, l,
 				   sizeof(isc_event_t));
@ -2489,6 +2504,7 @@ send_tcp_connect(dig_query_t *query) {
 		send_tcp_connect(next);
 		return;
 	}
+
 	INSIST(query->sock == NULL);
 	result = isc_socket_create(socketmgr,
 				   isc_sockaddr_pf(&query->sockaddr),
@ -2519,6 +2535,9 @@ send_tcp_connect(dig_query_t *query) {
 	if (l->ns_search_only && !l->trace_root) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
+		if (ISC_LINK_LINKED(query, link))
+			ISC_LIST_DEQUEUE(l->q, query, link);
+		ISC_LIST_ENQUEUE(l->connecting, query, clink);
 		if (next != NULL)
 			send_tcp_connect(next);
 	}
@ -2599,7 +2618,7 @@ send_udp(dig_query_t *query) {
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL, *cq;
+	dig_query_t *query = NULL, *next, *cq;

 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@ -2623,7 +2642,9 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 			if (query->sock != NULL)
 				isc_socket_cancel(query->sock, NULL,
 						  ISC_SOCKCANCEL_ALL);
-			send_tcp_connect(ISC_LIST_NEXT(cq, link));
+			next = ISC_LIST_NEXT(cq, link);
+			if (next != NULL)
+				send_tcp_connect(next);
 		}
 		UNLOCK_LOOKUP;
 		return;
@ -2866,9 +2887,8 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 		if (next != NULL) {
 			bringup_timer(next, TCP_TIMEOUT);
 			send_tcp_connect(next);
-		} else {
+		} else
 			check_next_lookup(l);
-		}
 		UNLOCK_LOOKUP;
 		return;
 	}
@ -3425,6 +3445,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				if (n == 0)
 					docancel = ISC_TRUE;
 				l->trace_root = ISC_FALSE;
+				usesearch = ISC_FALSE;
 			} else
 #ifdef DIG_SIGCHASE
 				if (!do_sigchase)
@ -3601,15 +3622,19 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
 */
 void
 do_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query;

 	REQUIRE(lookup != NULL);

 	debug("do_lookup()");
 	lookup->pending = ISC_TRUE;
-	if (lookup->tcp_mode)
-		send_tcp_connect(ISC_LIST_HEAD(lookup->q));
-	else
-		send_udp(ISC_LIST_HEAD(lookup->q));
+	query = ISC_LIST_HEAD(lookup->q);
+	if (query != NULL) {
+		if (lookup->tcp_mode)
+			send_tcp_connect(query);
+		else
+			send_udp(query);
+	}
 }

 /*%
@ -4081,7 +4106,7 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
 	check_result(result, "dns_name_totext");
 	isc_buffer_usedregion(b, &r);
 	r.base[r.length] = '\0';
-	strcpy(lookup->textname, (char*)r.base);
+	strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname));
 	isc_buffer_free(&b);

 	if (type ==  dns_rdatatype_rrsig)
@ -4206,7 +4231,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 			return (ISC_R_NOMEMORY);

 		memset(tempnamekey, 0, tempnamekeylen);
-		strncpy(tempnamekey, tempname, tempnamelen);
+		strlcpy(tempnamekey, tempname, tempnamelen);
 		strcat(tempnamekey ,".key");


@ -4340,7 +4365,7 @@ prepare_lookup(dns_name_t *name)
 	lookup->new_search = ISC_TRUE;
 	lookup->trace_root_sigchase = ISC_FALSE;

-	strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
+	strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME);

 	lookup->rdtype = lookup->rdtype_sigchase;
 	lookup->rdtypeset = ISC_TRUE;
@ -4399,7 +4424,7 @@ prepare_lookup(dns_name_t *name)
 				dns_rdata_totext(&aaaa, &ns.name, b);
 				isc_buffer_usedregion(b, &r);
 				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
+				strlcpy(namestr, (char*)r.base,
 					DNS_NAME_FORMATSIZE);
 				isc_buffer_free(&b);
 				dns_rdata_reset(&aaaa);
@ -4428,7 +4453,7 @@ prepare_lookup(dns_name_t *name)
 				dns_rdata_totext(&a, &ns.name, b);
 				isc_buffer_usedregion(b, &r);
 				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
+				strlcpy(namestr, (char*)r.base,
 					DNS_NAME_FORMATSIZE);
 				isc_buffer_free(&b);
 				dns_rdata_reset(&a);
@ -4607,7 +4632,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *trustedKey = NULL;
 	dst_key_t *dnsseckey = NULL;
 	int i;

@ -4651,10 +4675,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 			dst_key_free(&dnsseckey);
 	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);

-	if (trustedKey != NULL)
-		dst_key_free(&trustedKey);
-	trustedKey = NULL;
-
 	return (ISC_R_NOTFOUND);
 }

--- a/external/bsd/bind/dist/bin/dig/host.c
+++ b/external/bsd/bind/dist/bin/dig/host.c
@ -1,7 +1,7 @@
-/*	$NetBSD: host.c,v 1.5 2013/03/24 18:44:37 christos Exp $	*/
+/*	$NetBSD: host.c,v 1.6 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -449,10 +449,18 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (msg->rcode != 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n",
-		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-		       query->lookup->textname, msg->rcode,
-		       rcode_totext(msg->rcode));
+
+		if (query->lookup->identify_previous_line)
+			printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
+			       query->servname,
+			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+			       query->lookup->textname, msg->rcode,
+			       rcode_totext(msg->rcode));
+		else
+			printf("Host %s not found: %d(%s)\n",
+			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+			       query->lookup->textname, msg->rcode,
+			       rcode_totext(msg->rcode));
 		return (ISC_R_SUCCESS);
 	}

--- a/external/bsd/bind/dist/bin/dig/include/dig/dig.h
+++ b/external/bsd/bind/dist/bin/dig/include/dig/dig.h
@ -1,7 +1,7 @@
-/*	$NetBSD: dig.h,v 1.6 2012/06/05 00:38:55 christos Exp $	*/
+/*	$NetBSD: dig.h,v 1.7 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -170,6 +170,7 @@ isc_boolean_t	sigchase;
 	dns_name_t *oname;
 	ISC_LINK(dig_lookup_t) link;
 	ISC_LIST(dig_query_t) q;
+	ISC_LIST(dig_query_t) connecting;
 	dig_query_t *current_query;
 	dig_serverlist_t my_server_list;
 	dig_searchlist_t *origin;
@ -216,6 +217,7 @@ struct dig_query {
 		slspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
+	ISC_LINK(dig_query_t) clink;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
 	isc_uint64_t byte_count;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.6 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.7 2013/07/27 19:23:09 christos Exp $	*/

 /*
 * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
@ -286,7 +286,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
 		}
 	}

-	result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
+	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
+				     &textb);
+
 	if (result != ISC_R_SUCCESS)
 		fatal("can't print rdata");

--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.9 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.10 2013/07/27 19:23:09 christos Exp $	*/

 /*
 * Copyright (C) 2007-2012  Internet Systems Consortium, Inc. ("ISC")
@ -368,6 +368,8 @@ main(int argc, char **argv) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
 				"specify \"-a RSAMD5\"\n");
+		if (freeit != NULL)
+			free(freeit);
 		return (1);
 	} else {
 		r.base = algname;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.10 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.11 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Portions Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -538,6 +538,7 @@ main(int argc, char **argv) {
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
 			return (1);
 		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
 			alg = DST_ALG_HMACMD5;
@ -964,8 +965,15 @@ main(int argc, char **argv) {
 				dst_key_settime(key, DST_TIME_INACTIVE,
 						inactive);

-			if (setdel)
+			if (setdel) {
+				if (setinact && delete < inactive)
+					fprintf(stderr, "%s: warning: Key is "
+						"scheduled to be deleted "
+						"before it is scheduled to be "
+						"made inactive.\n",
+						program);
 				dst_key_settime(key, DST_TIME_DELETE, delete);
+			}
 		} else {
 			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-revoke.c,v 1.4 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-revoke.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -22,7 +22,6 @@

 #include <config.h>

-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>

--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-settime.c,v 1.6 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.7 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -22,7 +22,6 @@

 #include <config.h>

-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <errno.h>
@ -144,6 +143,7 @@ main(int argc, char **argv) {
 	dns_ttl_t	ttl = 0;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+	isc_stdtime_t	prevact = 0, previnact = 0, prevdel = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
@ -356,7 +356,6 @@ main(int argc, char **argv) {

 	if (predecessor != NULL) {
 		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t when;
 		int major, minor;

 		if (prepub == -1)
@ -388,19 +387,20 @@ main(int argc, char **argv) {
 			fatal("Predecessor has incompatible format "
 			      "version %d.%d\n\t", major, minor);

-		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no activation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");

-		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
+		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
+					 &previnact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no inactivation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");

-		pub = act - prepub;
+		pub = prevact - prepub;
 		if (pub < now && prepub != 0)
 			fatal("Predecessor will become inactive before the\n\t"
 			      "prepublication period ends.  Either change "
@ -408,13 +408,18 @@ main(int argc, char **argv) {
 			      "or use the -i option to set a shorter "
 			      "prepublication interval.");

-		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
 		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "%s: WARNING: Predecessor has no "
+			fprintf(stderr, "%s: warning: Predecessor has no "
 					"removal date;\n\t"
 					"it will remain in the zone "
 					"indefinitely after rollover.\n",
 					program);
+		else if (prevdel < previnact)
+			fprintf(stderr, "%s: warning: Predecessor is "
+					"scheduled to be deleted\n\t"
+					"before it is scheduled to be "
+					"inactive.\n", program);

 		changed = setpub = setact = ISC_TRUE;
 		dst_key_free(&prevkey);
@ -476,6 +481,20 @@ main(int argc, char **argv) {
 			fatal("Key flags mismatch");
 	}

+	prevdel = previnact = 0;
+	if ((setdel && setinact && del < inact) ||
+	    (dst_key_gettime(key, DST_TIME_INACTIVE,
+			     &previnact) == ISC_R_SUCCESS &&
+	     setdel && !setinact && del < previnact) ||
+	    (dst_key_gettime(key, DST_TIME_DELETE,
+			     &prevdel) == ISC_R_SUCCESS &&
+	     setinact && !setdel && prevdel < inact) ||
+	    (!setdel && !setinact && prevdel < previnact))
+		fprintf(stderr, "%s: warning: Key is scheduled to "
+				"be deleted before it is\n\t"
+				"scheduled to be inactive.\n",
+			program);
+
 	if (force)
 		set_keyversion(key);
 	else
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.8 2013/03/24 18:44:38 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.9 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Portions Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -722,6 +722,8 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
 	if (l->entries == l->size) {
 		l->size = l->size * 2 + 100;
 		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+		if (l->hashbuf == NULL)
+			fatal("unable to grow hashlist: out of memory");
 	}
 	memset(l->hashbuf + l->entries * l->length, 0, l->length);
 	memcpy(l->hashbuf + l->entries * l->length, hash, len);
@ -1604,7 +1606,9 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
 * Remove records of the given type and their signatures.
 */
 static void
-remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which,
+	       isc_boolean_t checknsec)
+{
 	isc_result_t result;
 	dns_rdatatype_t type, covers;
 	dns_rdatasetiter_t *rdsiter = NULL;
@ -1625,10 +1629,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == which || covers == which) {
-			if (which == dns_rdatatype_nsec && !update_chain)
+			if (which == dns_rdatatype_nsec &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC records.  Use -u "
 				      "to update to NSEC3.");
-			if (which == dns_rdatatype_nsec3param && !update_chain)
+			if (which == dns_rdatatype_nsec3param &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC3 chains.  Use -u "
 				      "to update to NSEC.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
@ -1640,6 +1646,39 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 	dns_rdatasetiter_destroy(&rdsiter);
 }

+/*
+ * Remove signatures covering the given type (0 == all signatures).
+ */
+static void
+remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		if (type == dns_rdatatype_rrsig &&
+		    (covers == which || which == 0))
+		{
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
 /*%
 * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
 */
@ -1716,14 +1755,17 @@ nsecify(void) {
 		}

 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec3param);
+			remove_records(node, dns_rdatatype_nsec3param,
+				       ISC_TRUE);

 		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
+			remove_sigs(node, 0);
 			if (generateds)
 				add_ds(name, node, nsttl);
 		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@ -1741,6 +1783,9 @@ nsecify(void) {
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
 			{
+				remove_sigs(nextnode, 0);
+				remove_records(nextnode, dns_rdatatype_nsec,
+					       ISC_FALSE);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@ -2132,7 +2177,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 		}

 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec);
+			remove_records(node, dns_rdatatype_nsec, ISC_TRUE);

 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
@ -2149,6 +2194,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut))) {
+				remove_sigs(nextnode, 0);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@ -2158,6 +2204,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
+				remove_sigs(nextnode, 0);
 				if (generateds)
 					add_ds(nextname, nextnode, nsttl);
 				if (OPTOUT(nsec3flags) &&
@ -2284,7 +2331,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 				continue;
 			}
 			if (is_delegation(gdb, gversion, gorigin,
-							  nextname, nextnode, NULL))
+					  nextname, nextnode, NULL))
 			{
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
@ -2592,7 +2639,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	dns_rdata_nsec3_t nsec3;
 	dns_fixedname_t fname;
 	dns_name_t *hashname;
-	unsigned char orig_salt[256];
+	unsigned char orig_salt[255];
 	size_t orig_saltlen;
 	dns_hash_t orig_hash;
 	isc_uint16_t orig_iter;
@ -3438,23 +3485,6 @@ main(int argc, char *argv[]) {
 	else
 		set_nsec3params(update_chain, set_salt, set_optout, set_iter);

-	if (IS_NSEC3) {
-		isc_boolean_t answer;
-		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
-		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
-			      hash_length);
-		result = dns_nsec_nseconly(gdb, gversion, &answer);
-		if (result == ISC_R_NOTFOUND)
-			fprintf(stderr, "%s: warning: NSEC3 generation "
-				"requested with no DNSKEY; ignoring\n",
-				program);
-		else if (result != ISC_R_SUCCESS)
-			check_result(result, "dns_nsec_nseconly");
-		else if (answer)
-			fatal("NSEC3 generation requested with "
-			      "NSEC-only DNSKEY");
-	}
-
 	/*
 	 * We need to do this early on, as we start messing with the list
 	 * of keys rather early.
@ -3507,6 +3537,22 @@ main(int argc, char *argv[]) {

 	if (IS_NSEC3) {
 		unsigned int max;
+		isc_boolean_t answer;
+
+		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
+		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
+			      hash_length);
+		result = dns_nsec_nseconly(gdb, gversion, &answer);
+		if (result == ISC_R_NOTFOUND)
+			fprintf(stderr, "%s: warning: NSEC3 generation "
+				"requested with no DNSKEY; ignoring\n",
+				program);
+		else if (result != ISC_R_SUCCESS)
+			check_result(result, "dns_nsec_nseconly");
+		else if (answer)
+			fatal("NSEC3 generation requested with "
+			      "NSEC-only DNSKEY");
+
 		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
 		check_result(result, "dns_nsec3_maxiterations()");
 		if (nsec3iter > max)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec-verify.c,v 1.4 2013/07/01 21:59:20 joerg Exp $	*/
+/*	$NetBSD: dnssec-verify.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/

 /*
 * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
@ -286,6 +286,9 @@ main(int argc, char *argv[]) {
 	argc -= 1;
 	argv += 1;

+	POST(argc);
+	POST(argv);
+
 	if (origin == NULL)
 		origin = file;

--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.c
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.c,v 1.4 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: dnssectool.c,v 1.5 2013/07/27 19:23:09 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -522,14 +522,16 @@ goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;

-	dns_rdata_tostruct(sigrdata, &sig, NULL);
+	result = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	check_result(result, "dns_rdata_tostruct()");

 	for (result = dns_rdataset_first(keyrdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(keyrdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 		dns_rdataset_current(keyrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &key, NULL);
+		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		result = dns_dnssec_keyfromrdata(origin, &rdata, mctx,
 						 &dstkey);
 		if (result != ISC_R_SUCCESS)
@ -583,7 +585,7 @@ verifynsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		dns_name_format(nextname, nextbuf, sizeof(nextbuf));
 		dns_name_format(&nsec.next, found, sizeof(found));
-		fprintf(stderr, "Bad record NSEC record for %s, next name "
+		fprintf(stderr, "Bad NSEC record for %s, next name "
 				"mismatch (expected:%s, found:%s)\n", namebuf,
 				nextbuf, found);
 		goto failure;
@ -594,7 +596,7 @@ verifynsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	check_result(result, "dns_nsec_buildrdata()");
 	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad record NSEC record for %s, bit map "
+		fprintf(stderr, "Bad NSEC record for %s, bit map "
 				"mismatch\n", namebuf);
 		goto failure;
 	}
@ -770,7 +772,7 @@ match_nsec3(dns_name_t *name, isc_mem_t *mctx,
 	len = dns_nsec_compressbitmap(cbm, types, maxtype);
 	if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad record NSEC3 record for %s, bit map "
+		fprintf(stderr, "Bad NSEC3 record for %s, bit map "
 				"mismatch\n", namebuf);
 		return (ISC_R_FAILURE);
 	}
@ -823,6 +825,7 @@ innsec3params(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *nsec3paramset) {

 		dns_rdataset_current(nsec3paramset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		if (nsec3param.flags == 0 &&
 		    nsec3param.hash == nsec3->hash &&
 		    nsec3param.iterations == nsec3->iterations &&
@ -890,11 +893,64 @@ record_found(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 	return (ISC_R_SUCCESS);
 }

+static isc_boolean_t
+isoptout(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	 dns_rdata_t *nsec3rdata)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_fixedname_t fixed;
+	dns_name_t *hashname;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
+	size_t rhsize = sizeof(rawhash);
+	isc_boolean_t ret;
+
+	result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
+	check_result(result, "dns_rdata_tostruct()");
+
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, origin, origin,
+				    nsec3param.hash, nsec3param.iterations,
+				    nsec3param.salt, nsec3param.salt_length);
+	check_result(result, "dns_nsec3_hashname()");
+
+	dns_rdataset_init(&rdataset);
+	hashname = dns_fixedname_name(&fixed);
+	result = dns_db_findnsec3node(db, hashname, ISC_FALSE, &node);
+	if (result == ISC_R_SUCCESS)
+		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+					     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first()");
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	if (result != ISC_R_SUCCESS)
+		ret = ISC_FALSE;
+	else
+		ret = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (ret);
+}
+
 static isc_result_t
 verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	    isc_mem_t *mctx, dns_name_t *name, dns_rdata_t *rdata,
-	    isc_boolean_t delegation, unsigned char types[8192],
-	    unsigned int maxtype)
+	    isc_boolean_t delegation, isc_boolean_t empty,
+	    unsigned char types[8192], unsigned int maxtype)
 {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char hashbuf[DNS_NAME_FORMATSIZE];
@ -906,6 +962,7 @@ verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_dbnode_t *node = NULL;
 	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
 	size_t rhsize = sizeof(rawhash);
+	isc_boolean_t optout;

 	result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
 	check_result(result, "dns_rdata_tostruct()");
@ -916,6 +973,8 @@ verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	if (!dns_nsec3_supportedhash(nsec3param.hash))
 		return (ISC_R_SUCCESS);

+	optout = isoptout(db, ver, origin, rdata);
+
 	dns_fixedname_init(&fixed);
 	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, name, origin,
 				    nsec3param.hash, nsec3param.iterations,
@ -935,16 +994,22 @@ verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
 					     0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS &&
-	    (!delegation || dns_nsec_isset(types, dns_rdatatype_ds))) {
+	    (!delegation || (empty && !optout) ||
+	     (!empty && dns_nsec_isset(types, dns_rdatatype_ds))))
+	{
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		dns_name_format(hashname, hashbuf, sizeof(hashbuf));
 		fprintf(stderr, "Missing NSEC3 record for %s (%s)\n",
 			namebuf, hashbuf);
+	} else if (result == ISC_R_NOTFOUND &&
+		   delegation && (!empty || optout))
+	{
+		result = ISC_R_SUCCESS;
 	} else if (result == ISC_R_SUCCESS) {
 		result = match_nsec3(name, mctx, &nsec3param, &rdataset,
 				     types, maxtype, rawhash, rhsize);
-	} else if (result == ISC_R_NOTFOUND && delegation)
-		result = ISC_R_SUCCESS;
+	}
+
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	if (node != NULL)
@ -956,8 +1021,8 @@ verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 static isc_result_t
 verifynsec3s(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	     isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *nsec3paramset,
-	     isc_boolean_t delegation, unsigned char types[8192],
-	     unsigned int maxtype)
+	     isc_boolean_t delegation, isc_boolean_t empty,
+	     unsigned char types[8192], unsigned int maxtype)
 {
 	isc_result_t result;

@ -968,7 +1033,7 @@ verifynsec3s(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,

 		dns_rdataset_current(nsec3paramset, &rdata);
 		result = verifynsec3(db, ver, origin, mctx, name, &rdata,
-				     delegation, types, maxtype);
+				     delegation, empty, types, maxtype);
 		if (result != ISC_R_SUCCESS)
 			break;
 	}
@ -1023,7 +1088,8 @@ verifyset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		dns_rdata_rrsig_t sig;

 		dns_rdataset_current(&sigrdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &sig, NULL);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		check_result(result, "dns_rdata_tostruct()");
 		if (rdataset->ttl != sig.originalttl) {
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			type_format(rdataset->type, typebuf, sizeof(typebuf));
@ -1112,8 +1178,8 @@ verifynode(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,

 	if (nsec3paramset != NULL && dns_rdataset_isassociated(nsec3paramset)) {
 		tresult = verifynsec3s(db, ver, origin, mctx, name,
-				       nsec3paramset, delegation, types,
-				       maxtype);
+				       nsec3paramset, delegation, ISC_FALSE,
+				       types, maxtype);
 		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
@ -1302,8 +1368,8 @@ verify_nsec3_chains(isc_mem_t *mctx) {

 static isc_result_t
 verifyemptynodes(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *nextname,
-		 dns_rdataset_t *nsec3paramset)
+		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *prevname,
+		 isc_boolean_t isdelegation, dns_rdataset_t *nsec3paramset)
 {
 	dns_namereln_t reln;
 	int order;
@ -1311,23 +1377,24 @@ verifyemptynodes(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_name_t suffix;
 	isc_result_t result = ISC_R_SUCCESS, tresult;

-	reln = dns_name_fullcompare(name, nextname, &order, &labels);
+	reln = dns_name_fullcompare(prevname, name, &order, &labels);
 	if (order >= 0)
 		return (result);

-	nlabels = dns_name_countlabels(nextname);
+	nlabels = dns_name_countlabels(name);

 	if (reln == dns_namereln_commonancestor ||
 	    reln == dns_namereln_contains) {
 		dns_name_init(&suffix, NULL);
 		for (i = labels + 1; i < nlabels; i++) {
-			dns_name_getlabelsequence(nextname, nlabels - i, i,
+			dns_name_getlabelsequence(name, nlabels - i, i,
 						  &suffix);
 			if (nsec3paramset != NULL &&
 			     dns_rdataset_isassociated(nsec3paramset)) {
 				tresult = verifynsec3s(db, ver, origin, mctx,
 						       &suffix, nsec3paramset,
-						       ISC_FALSE, NULL, 0);
+						       isdelegation, ISC_TRUE,
+						       NULL, 0);
 				if (result == ISC_R_SUCCESS &&
 				    tresult != ISC_R_SUCCESS)
 					result = tresult;
@ -1357,8 +1424,8 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 	char algbuf[80];
 	dns_dbiterator_t *dbiter = NULL;
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
+	dns_fixedname_t fname, fnextname, fprevname, fzonecut;
+	dns_name_t *name, *nextname, *prevname, *zonecut;
 	dns_rdata_dnskey_t dnskey;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t keyset, soaset;
@ -1570,6 +1637,8 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
 	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fprevname);
+	prevname = NULL;
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;

@ -1636,8 +1705,13 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 			vresult = ISC_R_SUCCESS;
 		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
 			vresult = result;
-		result = verifyemptynodes(db, ver, origin, mctx, name,
-					  nextname, &nsec3paramset);
+		if (prevname != NULL) {
+			result = verifyemptynodes(db, ver, origin, mctx, name,
+						  prevname, isdelegation,
+						  &nsec3paramset);
+		} else
+			prevname = dns_fixedname_name(&fprevname);
+		dns_name_copy(name, prevname, NULL);
 		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
 			vresult = result;
 		dns_db_detachnode(db, &node);
--- a/external/bsd/bind/dist/bin/named/client.c
+++ b/external/bsd/bind/dist/bin/named/client.c
@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.6 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: client.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@ -1397,9 +1397,9 @@ client_request(isc_task_t *task, isc_event_t *event) {

 	INSIST(client->recursionquota == NULL);

-	INSIST(client->state == TCP_CLIENT(client) ?
+	INSIST(client->state == (TCP_CLIENT(client) ?
 				       NS_CLIENTSTATE_READING :
-				       NS_CLIENTSTATE_READY);
+				       NS_CLIENTSTATE_READY));

 	ns_client_requests++;

@ -2418,6 +2418,9 @@ ns_client_replace(ns_client_t *client) {

 	CTRACE("replace");

+	REQUIRE(client != NULL);
+	REQUIRE(client->manager != NULL);
+
 	result = get_client(client->manager, client->interface,
 			    client->dispatch, TCP_CLIENT(client));
 	if (result != ISC_R_SUCCESS)
@ -2509,10 +2512,10 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	return (ISC_R_SUCCESS);

 cleanup_listlock:
-	isc_mutex_destroy(&manager->listlock);
+	(void) isc_mutex_destroy(&manager->listlock);

 cleanup_lock:
-	isc_mutex_destroy(&manager->lock);
+	(void) isc_mutex_destroy(&manager->lock);

 cleanup_manager:
 	isc_mem_put(manager->mctx, manager, sizeof(*manager));
@ -2570,7 +2573,9 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 	ns_client_t *client;
 	MTRACE("get client");

-	if (manager != NULL && manager->exiting)
+	REQUIRE(manager != NULL);
+
+	if (manager->exiting)
 		return (ISC_R_SHUTTINGDOWN);

 	/*
--- a/external/bsd/bind/dist/bin/named/config.c
+++ b/external/bsd/bind/dist/bin/named/config.c
@ -1,7 +1,7 @@
-/*	$NetBSD: config.c,v 1.6 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: config.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2001-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -153,6 +153,7 @@ options {\n\
 	check-names response ignore;\n\
 	check-dup-records warn;\n\
 	check-mx warn;\n\
+	check-spf warn;\n\
 	acache-enable no;\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 16M;\n\
@ -203,7 +204,7 @@ options {\n\
 	sig-signing-signatures 10;\n\
 	sig-signing-type 65534;\n\
 	inline-signing no;\n\
-	zone-statistics false;\n\
+	zone-statistics terse;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
 	check-wildcard yes;\n\
@ -650,17 +651,16 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 		if (isc_sockaddr_getport(&addrs[i]) == 0)
 			isc_sockaddr_setport(&addrs[i], port);
 		keys[i] = NULL;
-		if (!cfg_obj_isstring(key)) {
-			i++;
+		i++;	/* Increment here so that cleanup on error works. */
+		if (!cfg_obj_isstring(key))
 			continue;
-		}
-		keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (keys[i] == NULL)
+		keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (keys[i - 1] == NULL)
 			goto cleanup;
-		dns_name_init(keys[i], NULL);
+		dns_name_init(keys[i - 1], NULL);

 		keystr = cfg_obj_asstring(key);
-		isc_buffer_init(&b, keystr, strlen(keystr));
+		isc_buffer_constinit(&b, keystr, strlen(keystr));
 		isc_buffer_add(&b, strlen(keystr));
 		dns_fixedname_init(&fname);
 		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
@ -668,10 +668,9 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
-				      keys[i]);
+				      keys[i - 1]);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		i++;
 	}
 	if (pushed != 0) {
 		pushed--;
@ -727,7 +726,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 	if (addrs != NULL)
 		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
 	if (keys != NULL) {
-		for (j = 0; j <= i; j++) {
+		for (j = 0; j < i; j++) {
 			if (keys[j] == NULL)
 				continue;
 			if (dns_name_dynamic(keys[j]))
--- a/external/bsd/bind/dist/bin/named/control.c
+++ b/external/bsd/bind/dist/bin/named/control.c
@ -1,4 +1,4 @@
-/*	$NetBSD: control.c,v 1.4 2012/06/05 00:38:59 christos Exp $	*/
+/*	$NetBSD: control.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
@ -63,7 +63,7 @@ command_compare(const char *text, const char *command) {
 isc_result_t
 ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
-	char *command;
+	char *command = NULL;
 	isc_result_t result;
 	int log_level;
 #ifdef HAVE_LIBSCF
--- a/external/bsd/bind/dist/bin/named/controlconf.c
+++ b/external/bsd/bind/dist/bin/named/controlconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: controlconf.c,v 1.5 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: controlconf.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2001-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -151,7 +151,7 @@ free_listener(controllistener_t *listener) {
 	if (listener->acl != NULL)
 		dns_acl_detach(&listener->acl);

-	isc_mem_put(listener->mctx, listener, sizeof(*listener));
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
 }

 static void
@ -1068,8 +1068,9 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		result = ISC_R_NOMEMORY;

 	if (result == ISC_R_SUCCESS) {
+		listener->mctx = NULL;
+		isc_mem_attach(mctx, &listener->mctx);
 		listener->controls = cp;
-		listener->mctx = mctx;
 		listener->task = cp->server->task;
 		listener->address = *addr;
 		listener->sock = NULL;
--- a/external/bsd/bind/dist/bin/named/include/named/client.h
+++ b/external/bsd/bind/dist/bin/named/include/named/client.h
@ -1,4 +1,4 @@
-/*	$NetBSD: client.h,v 1.3 2012/06/05 00:39:07 christos Exp $	*/
+/*	$NetBSD: client.h,v 1.4 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@ -169,16 +169,17 @@ typedef ISC_LIST(ns_client_t) client_list_t;
 #define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
 #define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)

-#define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recursive service */
-#define NS_CLIENTATTR_PKTINFO		0x04 /*%< pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
-#define NS_CLIENTATTR_WANTNSID          0x20 /*%< include nameserver ID */
+#define NS_CLIENTATTR_TCP		0x001
+#define NS_CLIENTATTR_RA		0x002 /*%< Client gets recursive service */
+#define NS_CLIENTATTR_PKTINFO		0x004 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x008 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x010 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID          0x020 /*%< include nameserver ID */
 #ifdef ALLOW_FILTER_AAAA_ON_V4
-#define NS_CLIENTATTR_FILTER_AAAA	0x40 /*%< suppress AAAAs */
-#define NS_CLIENTATTR_FILTER_AAAA_RC	0x80 /*%< recursing for A against AAAA */
+#define NS_CLIENTATTR_FILTER_AAAA	0x040 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC	0x080 /*%< recursing for A against AAAA */
 #endif
+#define NS_CLIENTATTR_WANTAD		0x100 /*%< want AD in response if possible */

 extern unsigned int ns_client_requests;

--- a/external/bsd/bind/dist/bin/named/include/named/globals.h
+++ b/external/bsd/bind/dist/bin/named/include/named/globals.h
@ -1,7 +1,7 @@
-/*	$NetBSD: globals.h,v 1.4 2012/06/05 00:39:08 christos Exp $	*/
+/*	$NetBSD: globals.h,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -69,6 +69,9 @@ EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
 EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
 EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
 EXTERN const char *		ns_g_version		INIT(VERSION);
+EXTERN const char *		ns_g_product		INIT(PRODUCT);
+EXTERN const char *		ns_g_description	INIT(DESCRIPTION);
+EXTERN const char *		ns_g_srcid		INIT(SRCID);
 EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
 EXTERN in_port_t		ns_g_port		INIT(0);
 EXTERN in_port_t		lwresd_g_listenport	INIT(0);
@ -123,6 +126,7 @@ EXTERN isc_boolean_t		ns_g_coreok		INIT(ISC_TRUE);
 EXTERN const char *		ns_g_chrootdir		INIT(NULL);
 EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_nosyslog		INIT(ISC_FALSE);

 EXTERN const char *		ns_g_defaultsessionkeyfile
 					INIT(NS_LOCALSTATEDIR "/run/named/"
@ -156,6 +160,7 @@ EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_nosoa		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_noaa		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_nonearest		INIT(ISC_FALSE);

 #undef EXTERN
 #undef INIT
--- a/external/bsd/bind/dist/bin/named/include/named/server.h
+++ b/external/bsd/bind/dist/bin/named/include/named/server.h
@ -1,7 +1,7 @@
-/*	$NetBSD: server.h,v 1.4 2012/06/05 00:39:10 christos Exp $	*/
+/*	$NetBSD: server.h,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -167,7 +167,9 @@ enum {
 	dns_nsstatscounter_updatefail = 34,
 	dns_nsstatscounter_updatebadprereq = 35,

-	dns_nsstatscounter_max = 36
+	dns_nsstatscounter_rpz_rewrites = 36,
+
+	dns_nsstatscounter_max = 37
 };

 void
--- a/external/bsd/bind/dist/bin/named/interfacemgr.c
+++ b/external/bsd/bind/dist/bin/named/interfacemgr.c
@ -1,7 +1,7 @@
-/*	$NetBSD: interfacemgr.c,v 1.4 2012/06/05 00:38:59 christos Exp $	*/
+/*	$NetBSD: interfacemgr.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -82,11 +82,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	if (mgr == NULL)
 		return (ISC_R_NOMEMORY);

+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;

-	mgr->mctx = mctx;
 	mgr->taskmgr = taskmgr;
 	mgr->socketmgr = socketmgr;
 	mgr->dispatchmgr = dispatchmgr;
@ -118,7 +120,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ns_listenlist_detach(&mgr->listenon4);
 	ns_listenlist_detach(&mgr->listenon6);
 cleanup_mem:
-	isc_mem_put(mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 	return (result);
 }

@ -131,7 +133,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
 	clearlistenon(mgr);
 	DESTROYLOCK(&mgr->lock);
 	mgr->magic = 0;
-	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 }

 dns_aclenv_t *
@ -428,7 +430,7 @@ ns_interface_destroy(ns_interface_t *ifp) {

 	ns_interface_shutdown(ifp);

-	for (disp = ifp->nudpdispatch; disp >= 0; disp--)
+	for (disp = 0; disp < ifp->nudpdispatch; disp++)
 		if (ifp->udpdispatch[disp] != NULL) {
 			dns_dispatch_changeattributes(ifp->udpdispatch[disp], 0,
 						    DNS_DISPATCHATTR_NOLISTEN);
--- a/external/bsd/bind/dist/bin/named/log.c
+++ b/external/bsd/bind/dist/bin/named/log.c
@ -1,7 +1,7 @@
-/*	$NetBSD: log.c,v 1.3 2012/06/05 00:39:00 christos Exp $	*/
+/*	$NetBSD: log.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -203,7 +203,7 @@ isc_result_t
 ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
 	isc_result_t result;

-	if (! ns_g_logstderr) {
+	if (! ns_g_logstderr && ! ns_g_nosyslog) {
 		result = isc_log_usechannel(lcfg, "default_syslog",
 					    ISC_LOGCATEGORY_DEFAULT, NULL);
 		if (result != ISC_R_SUCCESS)
--- a/external/bsd/bind/dist/bin/named/logconf.c
+++ b/external/bsd/bind/dist/bin/named/logconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: logconf.c,v 1.4 2012/06/05 00:39:00 christos Exp $	*/
+/*	$NetBSD: logconf.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -248,14 +248,16 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 					isc_result_totext(result));
 			} else
 				(void)isc_stdio_close(fp);
-		} else {
-			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
-				dest.file.name, isc_result_totext(result));
-			fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
-				dest.file.name, isc_result_totext(result));
+			goto done;
 		}
+		if (!ns_g_nosyslog)
+			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
+			       dest.file.name, isc_result_totext(result));
+		fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
+			dest.file.name, isc_result_totext(result));
 	}

+ done:
 	return (result);
 }

--- a/external/bsd/bind/dist/bin/named/lwresd.c
+++ b/external/bsd/bind/dist/bin/named/lwresd.c
@ -1,7 +1,7 @@
-/*	$NetBSD: lwresd.c,v 1.3 2012/06/05 00:39:01 christos Exp $	*/
+/*	$NetBSD: lwresd.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -370,7 +370,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,

 			dns_fixedname_init(&fname);
 			name = dns_fixedname_name(&fname);
-			isc_buffer_init(&namebuf, searchstr,
+			isc_buffer_constinit(&namebuf, searchstr,
 					strlen(searchstr));
 			isc_buffer_add(&namebuf, strlen(searchstr));
 			result = dns_name_fromtext(name, &namebuf,
--- a/external/bsd/bind/dist/bin/named/main.c
+++ b/external/bsd/bind/dist/bin/named/main.c
@ -1,7 +1,7 @@
-/*	$NetBSD: main.c,v 1.10 2013/03/24 18:44:39 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.11 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -525,6 +525,10 @@ parse_command_line(int argc, char *argv[]) {
 				maxudp = 512;
 			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
 				maxudp = 1460;
+			else if (!strcmp(isc_commandline_argument, "nosyslog"))
+				ns_g_nosyslog = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "nonearest"))
+				ns_g_nonearest = ISC_TRUE;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
@ -538,10 +542,16 @@ parse_command_line(int argc, char *argv[]) {
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
-			printf("BIND %s\n", ns_g_version);
+			printf("%s %s", ns_g_product, ns_g_version);
+			if (*ns_g_description != 0)
+				printf(" %s", ns_g_description);
+			printf("\n");
 			exit(0);
 		case 'V':
-			printf("BIND %s built with %s\n", ns_g_version,
+			printf("%s %s", ns_g_product, ns_g_version);
+			if (*ns_g_description != 0)
+				printf(" %s", ns_g_description);
+			printf(" <id:%s> built with %s\n", ns_g_srcid,
 				ns_g_configargs);
 #ifdef OPENSSL
 			printf("using OpenSSL version: %s\n",
@ -595,7 +605,9 @@ create_managers(void) {
 #ifdef WIN32
 	ns_g_udpdisp = 1;
 #else
-	if (ns_g_udpdisp == 0 || ns_g_udpdisp > ns_g_cpus)
+	if (ns_g_udpdisp == 0)
+		ns_g_udpdisp = ns_g_cpus_detected;
+	if (ns_g_udpdisp > ns_g_cpus)
 		ns_g_udpdisp = ns_g_cpus;
 #endif
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
@ -804,8 +816,8 @@ setup(void) {
 				   isc_result_totext(result));

 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
-		      saved_command_line);
+		      ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
+		      ns_g_version, saved_command_line);

 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
@ -1051,9 +1063,9 @@ main(int argc, char *argv[]) {
 	 */
 	strlcat(version,
 #if defined(NO_VERSION_DATE) || !defined(__DATE__)
-		"named version: BIND " VERSION,
+		"named version: BIND " VERSION " <" SRCID ">",
 #else
-		"named version: BIND " VERSION " (" __DATE__ ")",
+		"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
 #endif
 		sizeof(version));
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));
--- a/external/bsd/bind/dist/bin/named/named.8
+++ b/external/bsd/bind/dist/bin/named/named.8
@ -1,6 +1,6 @@
-.\"	$NetBSD: named.8,v 1.3 2012/06/05 00:39:02 christos Exp $
+.\"	$NetBSD: named.8,v 1.4 2013/07/27 19:23:10 christos Exp $
 .\"
-.\" Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@ -176,9 +176,11 @@ Use
 \fI#listeners\fR
 worker threads to listen for incoming UDP packets on each address. If not specified,
 \fBnamed\fR
-will use all of the worker threads for this purpose; the
+will use the number of detected CPUs. If
+\fB\-n\fR
+has been set to a higher value than the number of CPUs, then
 \fB\-U\fR
-option allows the number to be decreased but not increased.
+may be increased as high as that value, but no higher.
 .RE
 .PP
 \-u \fIuser\fR
@ -280,7 +282,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/named/named.conf.5
+++ b/external/bsd/bind/dist/bin/named/named.conf.5
@ -1,6 +1,6 @@
-.\"	$NetBSD: named.conf.5,v 1.8 2012/06/05 00:39:02 christos Exp $
+.\"	$NetBSD: named.conf.5,v 1.9 2013/07/27 19:23:10 christos Exp $
 .\"
-.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@ -598,5 +598,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/named/named.conf.docbook
+++ b/external/bsd/bind/dist/bin/named/named.conf.docbook
@ -2,7 +2,7 @@
               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
@ -44,6 +44,7 @@
      <year>2009</year>
      <year>2010</year>
      <year>2011</year>
+      <year>2013</year>
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>
--- a/external/bsd/bind/dist/bin/named/named.conf.html
+++ b/external/bsd/bind/dist/bin/named/named.conf.html
@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
 - 
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543354"></a><h2>DESCRIPTION</h2>
+<a name="id2543357"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">named.conf</code> is the configuration file
      for
      <span><strong class="command">named</strong></span>.  Statements are enclosed
@ -50,14 +50,14 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543382"></a><h2>ACL</h2>
+<a name="id2543385"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543398"></a><h2>KEY</h2>
+<a name="id2543401"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -66,7 +66,7 @@ key
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543417"></a><h2>MASTERS</h2>
+<a name="id2543420"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@ -75,7 +75,7 @@ masters
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543463"></a><h2>SERVER</h2>
+<a name="id2543466"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -97,7 +97,7 @@ server
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543531"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543534"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -105,7 +105,7 @@ trusted-keys
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543557"></a><h2>MANAGED-KEYS</h2>
+<a name="id2543560"></a><h2>MANAGED-KEYS</h2>
 <div class="literallayout"><p><br>
 managed-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -113,7 +113,7 @@ managed-keys
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543586"></a><h2>CONTROLS</h2>
+<a name="id2543589"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@ -125,7 +125,7 @@ controls
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543621"></a><h2>LOGGING</h2>
+<a name="id2543624"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@ -143,7 +143,7 @@ logging
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543659"></a><h2>LWRES</h2>
+<a name="id2543662"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@ -156,7 +156,7 @@ lwres
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543701"></a><h2>OPTIONS</h2>
+<a name="id2543704"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@ -361,7 +361,7 @@ options
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544582"></a><h2>VIEW</h2>
+<a name="id2544585"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -525,7 +525,7 @@ view
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545298"></a><h2>ZONE</h2>
+<a name="id2545301"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint | redirect |<br>
@ -622,12 +622,12 @@ zone
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545687"></a><h2>FILES</h2>
+<a name="id2545690"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545699"></a><h2>SEE ALSO</h2>
+<a name="id2545702"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
--- a/external/bsd/bind/dist/bin/named/query.c
+++ b/external/bsd/bind/dist/bin/named/query.c
@ -1,7 +1,7 @@
-/*	$NetBSD: query.c,v 1.10 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: query.c,v 1.11 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -96,6 +96,10 @@
 /*% Want DNSSEC? */
 #define WANTDNSSEC(c)		(((c)->attributes & \
 				  NS_CLIENTATTR_WANTDNSSEC) != 0)
+/*% Want WANTAD? */
+#define WANTAD(c)		(((c)->attributes & \
+				  NS_CLIENTATTR_WANTAD) != 0)
+
 /*% No authority? */
 #define NOAUTHORITY(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOAUTHORITY) != 0)
@ -170,39 +174,66 @@ rpz_st_clear(ns_client_t *client);
 static inline void
 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
 	dns_zone_t *zone = client->query.authzone;
+	isc_stats_t *zonestats;
+#ifdef NEWSTATS
+	dns_rdatatype_t qtype;
+	dns_rdataset_t *rdataset;
+	dns_stats_t *querystats = NULL;
+#endif

 	isc_stats_increment(ns_g_server->nsstats, counter);

-	if (zone != NULL) {
-		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL)
-			isc_stats_increment(zonestats, counter);
+	if (zone == NULL)
+		return;
+
+	/* Do regular response type stats */
+	zonestats = dns_zone_getrequeststats(zone);
+
+	if (zonestats != NULL)
+		isc_stats_increment(zonestats, counter);
+
+#ifdef NEWSTATS
+	/* Do query type statistics
+	 *
+	 * We only increment per-type if we're using the authoriative
+	 * answer counter, preventing double-counting.
+	 */
+	if (counter == dns_nsstatscounter_authans) {
+		querystats = dns_zone_getrcvquerystats(zone);
+		if (querystats != NULL) {
+			rdataset = ISC_LIST_HEAD(client->query.qname->list);
+			if (rdataset != NULL) {
+				qtype = rdataset->type;
+				dns_rdatatypestats_increment(querystats, qtype);
+			}
+		}
 	}
+#endif
 }

 static void
 query_send(ns_client_t *client) {
 	isc_statscounter_t counter;
+
 	if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
 		inc_stats(client, dns_nsstatscounter_nonauthans);
 	else
 		inc_stats(client, dns_nsstatscounter_authans);
+
 	if (client->message->rcode == dns_rcode_noerror) {
-		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
-			if (client->query.isreferral) {
+		dns_section_t answer = DNS_SECTION_ANSWER;
+		if (ISC_LIST_EMPTY(client->message->sections[answer])) {
+			if (client->query.isreferral)
 				counter = dns_nsstatscounter_referral;
-			} else {
+			else
 				counter = dns_nsstatscounter_nxrrset;
-			}
-		} else {
+		} else
 			counter = dns_nsstatscounter_success;
-		}
-	} else if (client->message->rcode == dns_rcode_nxdomain) {
+	} else if (client->message->rcode == dns_rcode_nxdomain)
 		counter = dns_nsstatscounter_nxdomain;
-	} else {
-		/* We end up here in case of YXDOMAIN, and maybe others */
+	else /* We end up here in case of YXDOMAIN, and maybe others */
 		counter = dns_nsstatscounter_failure;
-	}
+
 	inc_stats(client, counter);
 	ns_client_send(client);
 }
@ -653,7 +684,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 		     dns_dbversion_t **versionp)
 {
 	isc_result_t result;
-	dns_acl_t *queryacl;
+	dns_acl_t *queryacl, *queryonacl;
 	ns_dbversion_t *dbversion;

 	REQUIRE(zone != NULL);
@ -765,6 +796,21 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
 	}

+	/* If and only if we've gotten this far, check allow-query-on too */
+	if (result == ISC_R_SUCCESS) {
+		queryonacl = dns_zone_getqueryonacl(zone);
+		if (queryonacl == NULL)
+			queryonacl = client->view->queryonacl;
+
+		result = ns_client_checkaclsilent(client, NULL,
+						  queryonacl, ISC_TRUE);
+		if ((options & DNS_GETDB_NOLOG) == 0 &&
+		    result != ISC_R_SUCCESS)
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "query-on denied");
+	}
+
 	dbversion->acl_checked = ISC_TRUE;
 	if (result != ISC_R_SUCCESS) {
 		dbversion->queryok = ISC_FALSE;
@ -833,12 +879,29 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 }

 static void
-rpz_log_rewrite(ns_client_t *client, const char *disabled,
+rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
 		dns_rpz_policy_t policy, dns_rpz_type_t type,
-		dns_name_t *rpz_qname) {
+		dns_zone_t *zone, dns_name_t *rpz_qname)
+{
+	isc_stats_t *zonestats;
 	char qname_buf[DNS_NAME_FORMATSIZE];
 	char rpz_qname_buf[DNS_NAME_FORMATSIZE];

+	/*
+	 * Count enabled rewrites in the global counter.
+	 * Count both enabled and disabled rewrites for each zone.
+	 */
+	if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_rpz_rewrites);
+	}
+	if (zone != NULL) {
+		zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL)
+			isc_stats_increment(zonestats,
+					    dns_nsstatscounter_rpz_rewrites);
+	}
+
 	if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
 		return;

@ -847,7 +910,7 @@ rpz_log_rewrite(ns_client_t *client, const char *disabled,

 	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
 		      DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
-		      disabled,
+		      disabled ? "disabled " : "",
 		      dns_rpz_type2str(type), dns_rpz_policy2str(policy),
 		      qname_buf, rpz_qname_buf);
 }
@ -863,6 +926,9 @@ rpz_log_fail(ns_client_t *client, int level,
 	if (!isc_log_wouldlog(ns_g_lctx, level))
 		return;

+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+	 */
 	dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
 	dns_name_format(name, namebuf2, sizeof(namebuf2));
 	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
@ -3113,6 +3179,14 @@ query_addbestns(ns_client_t *client) {
 	    SECURE(client) && WANTDNSSEC(client))
 		goto cleanup;

+	/*
+	 * If the answer is secure only add NS records if they are secure		 * when the client may be looking for AD in the response.
+	 */
+	if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
+	    ((rdataset->trust != dns_trust_secure) ||
+	    (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
+		goto cleanup;
+
 	/*
 	 * If the client doesn't want DNSSEC we can discard the sigrdataset
 	 * now.
@ -4079,6 +4153,8 @@ rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
 				rdatasetp, resuming);
 	switch (result) {
 	case ISC_R_SUCCESS:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
 		result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
 		break;
 	case DNS_R_EMPTYNAME:
@ -4174,6 +4250,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;

+	REQUIRE(nodep != NULL);
+
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client);

@ -4261,26 +4339,32 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 				result = DNS_R_CNAME;
 		}
 		break;
+	case DNS_R_NXRRSET:
+		policy = DNS_RPZ_POLICY_NODATA;
+		break;
 	case DNS_R_DNAME:
 		/*
 		 * DNAME policy RRs have very few if any uses that are not
 		 * better served with simple wildcards.  Making the work would
 		 * require complications to get the number of labels matched
 		 * in the name or the found name to the main DNS_R_DNAME case
-		 * in query_find(). So fall through to treat them as NODATA.
+		 * in query_find().
+		 */
+		dns_rdataset_disassociate(*rdatasetp);
+		dns_db_detachnode(*dbp, nodep);
+		/*
+		 * Fall through to treat it as a miss.
 		 */
-	case DNS_R_NXRRSET:
-		policy = DNS_RPZ_POLICY_NODATA;
-		break;
 	case DNS_R_NXDOMAIN:
 	case DNS_R_EMPTYNAME:
 		/*
 		 * If we don't get a qname hit,
 		 * see if it is worth looking for other types.
 		 */
-		dns_db_rpz_enabled(*dbp, client->query.rpz_st);
+		(void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
 		dns_db_detach(dbp);
 		dns_zone_detach(zonep);
+		result = DNS_R_NXDOMAIN;
 		policy = DNS_RPZ_POLICY_MISS;
 		break;
 	default:
@ -4288,9 +4372,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 		dns_zone_detach(zonep);
 		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
 			     "", result);
-		policy = DNS_RPZ_POLICY_ERROR;
-		result = DNS_R_SERVFAIL;
-		break;
+		return (DNS_R_SERVFAIL);
 	}

 	*policyp = policy;
@ -4356,6 +4438,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 			if (result == ISC_R_SUCCESS)
 				break;
 			INSIST(result == DNS_R_NAMETOOLONG);
+			/*
+			 * Trim the name until it is not too long.
+			 */
 			labels = dns_name_countlabels(prefix);
 			if (labels < 2) {
 				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
@ -4379,7 +4464,6 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 				  rdatasetp, &policy);
 		switch (result) {
 		case DNS_R_NXDOMAIN:
-		case DNS_R_EMPTYNAME:
 			break;
 		case DNS_R_SERVFAIL:
 			rpz_clean(&zone, &db, &node, rdatasetp);
@ -4402,13 +4486,45 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 			     (st->m.type == rpz_type &&
 			      0 >= dns_name_compare(rpz_qname, st->qname))))
 				continue;
+#if 0
+			/*
+			 * This code would block a customer reported information
+			 * leak of rpz rules by rewriting requests in the
+			 * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
+			 * Without this code, a bad guy could request
+			 * 24.0.3.2.10.rpz-ip. to find the policy rule for
+			 * 10.2.3.0/14.  It is an insignificant leak and this
+			 * code is not worth its cost, because the bad guy
+			 * could publish "evil.com A 10.2.3.4" and request
+			 * evil.com to get the same information.
+			 * Keep code with "#if 0" in case customer demand
+			 * is irresistible.
+			 *
+			 * We have the less frequent case of a triggered
+			 * policy.  Check that we have not trigger on one
+			 * of the pretend RPZ TLDs.
+			 * This test would make it impossible to rewrite
+			 * names in TLDs that start with "rpz-" should
+			 * ICANN ever allow such TLDs.
+			 */
+			labels = dns_name_countlabels(qname);
+			if (labels >= 2) {
+				dns_label_t label;

+				dns_name_getlabel(qname, labels-2, &label);
+				if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
+				    strncasecmp((const char *)label.base+1,
+						DNS_RPZ_PREFIX,
+						sizeof(DNS_RPZ_PREFIX)-1) == 0)
+					continue;
+			}
+#endif
 			/*
 			 * Merely log DNS_RPZ_POLICY_DISABLED hits.
 			 */
 			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
-				rpz_log_rewrite(client, "disabled ",
-						policy, rpz_type, rpz_qname);
+				rpz_log_rewrite(client, ISC_TRUE, policy,
+						rpz_type, zone, rpz_qname);
 				continue;
 			}

@ -4539,7 +4655,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	rdataset = NULL;
 	if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
 		/*
-		 * Check rules for the query name if this it the first time
+		 * Check rules for the query name if this is the first time
 		 * for the current qname, i.e. we've not been recursing.
 		 * There is a first time for each name in a CNAME chain.
 		 */
@ -4581,7 +4697,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,

 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-	while (st->r.label > 1) {
+	while (st->r.label > client->view->rpz_min_ns_labels) {
 		/*
 		 * Get NS rrset for each domain in the current qname.
 		 */
@ -4712,8 +4828,8 @@ cleanup:
 	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
 		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
 		    result != DNS_R_DELEGATION)
-			rpz_log_rewrite(client, "", st->m.policy, st->m.type,
-					st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+					st->m.type, st->m.zone, st->qname);
 		rpz_match_clear(st);
 	}
 	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
@ -4728,7 +4844,7 @@ cleanup:
 }

 /*
- * See if response policy zone rewriting is allowed a lack of interest
+ * See if response policy zone rewriting is allowed by a lack of interest
 * by the client in DNSSEC or a lack of signatures.
 */
 static isc_boolean_t
@ -4823,7 +4939,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
 				 fname, dns_trust_authanswer, st->m.ttl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+	rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+			st->m.type, st->m.zone, st->qname);
 	ns_client_qnamereplace(client, fname);
 	/*
 	 * Turn off DNSSEC because the results of a
@ -5884,9 +6001,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
 						DNS_MESSAGEFLAG_AD);
 			query_putrdataset(client, &sigrdataset);
+			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
-			rpz_log_rewrite(client, "", rpz_st->m.policy,
-					rpz_st->m.type, rpz_st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
+					rpz_st->m.type, zone, rpz_st->qname);
 		}
 	}

@ -6262,6 +6380,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@ -6290,7 +6417,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * closest provable encloser.
 				 */
 				if (dns_rdataset_isassociated(rdataset) &&
-				    !dns_name_equal(qname, found)) {
+				    !dns_name_equal(qname, found) &&
+				    !(ns_g_nonearest &&
+				      qtype != dns_rdatatype_ds))
+				{
 					unsigned int count;
 					unsigned int skip;

@ -6527,6 +6657,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			sigrdataset = NULL;
 			fname = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@ -7027,6 +7166,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64_exclude = dns64 = ISC_TRUE;
 			goto db_find;
 		}
@ -7313,7 +7461,6 @@ ns_query_start(ns_client_t *client) {
 	dns_rdatatype_t qtype;
 	unsigned int saved_extflags = client->extflags;
 	unsigned int saved_flags = client->message->flags;
-	isc_boolean_t want_ad;

 	CTRACE("ns_query_start");

@ -7409,6 +7556,7 @@ ns_query_start(ns_client_t *client) {
 	INSIST(rdataset != NULL);
 	qtype = rdataset->type;
 	dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
+
 	if (dns_rdatatype_ismeta(qtype)) {
 		switch (qtype) {
 		case dns_rdatatype_any:
@ -7475,13 +7623,11 @@ ns_query_start(ns_client_t *client) {
 		client->query.attributes &= ~NS_QUERYATTR_SECURE;

 	/*
-	 * Set 'want_ad' if the client has set AD in the query.
+	 * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
 	 * This allows AD to be returned on queries without DO set.
 	 */
 	if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
-		want_ad = ISC_TRUE;
-	else
-		want_ad = ISC_FALSE;
+		client->attributes |= NS_CLIENTATTR_WANTAD;

 	/*
 	 * This is an ordinary query.
@ -7506,7 +7652,7 @@ ns_query_start(ns_client_t *client) {
 	 * Set AD.  We must clear it if we add non-validated data to a
 	 * response.
 	 */
-	if (WANTDNSSEC(client) || want_ad)
+	if (WANTDNSSEC(client) || WANTAD(client))
 		message->flags |= DNS_MESSAGEFLAG_AD;

 	qclient = NULL;
--- a/external/bsd/bind/dist/bin/named/server.c
+++ b/external/bsd/bind/dist/bin/named/server.c
@ -1,7 +1,7 @@
-/*	$NetBSD: server.c,v 1.12 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: server.c,v 1.13 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -117,6 +117,10 @@
 #define PATH_MAX 1024
 #endif

+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 /*%
 * Check an operation for failure.  Assumes that the function
 * using it has a 'result' variable and a 'cleanup' label.
@ -164,7 +168,7 @@
 * a cache.  Only effective when a finite max-cache-size is specified.
 * This is currently defined to be 8MB.
 */
-#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608
+#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608U

 struct ns_dispatch {
 	isc_sockaddr_t			addr;
@ -254,6 +258,72 @@ const char *empty_zones[] = {
 	"31.172.IN-ADDR.ARPA",
 	"168.192.IN-ADDR.ARPA",

+	/* RFC 6598 */
+	"64.100.IN-ADDR.ARPA",
+	"65.100.IN-ADDR.ARPA",
+	"66.100.IN-ADDR.ARPA",
+	"67.100.IN-ADDR.ARPA",
+	"68.100.IN-ADDR.ARPA",
+	"69.100.IN-ADDR.ARPA",
+	"70.100.IN-ADDR.ARPA",
+	"71.100.IN-ADDR.ARPA",
+	"72.100.IN-ADDR.ARPA",
+	"73.100.IN-ADDR.ARPA",
+	"74.100.IN-ADDR.ARPA",
+	"75.100.IN-ADDR.ARPA",
+	"76.100.IN-ADDR.ARPA",
+	"77.100.IN-ADDR.ARPA",
+	"78.100.IN-ADDR.ARPA",
+	"79.100.IN-ADDR.ARPA",
+	"80.100.IN-ADDR.ARPA",
+	"81.100.IN-ADDR.ARPA",
+	"82.100.IN-ADDR.ARPA",
+	"83.100.IN-ADDR.ARPA",
+	"84.100.IN-ADDR.ARPA",
+	"85.100.IN-ADDR.ARPA",
+	"86.100.IN-ADDR.ARPA",
+	"87.100.IN-ADDR.ARPA",
+	"88.100.IN-ADDR.ARPA",
+	"89.100.IN-ADDR.ARPA",
+	"90.100.IN-ADDR.ARPA",
+	"91.100.IN-ADDR.ARPA",
+	"92.100.IN-ADDR.ARPA",
+	"93.100.IN-ADDR.ARPA",
+	"94.100.IN-ADDR.ARPA",
+	"95.100.IN-ADDR.ARPA",
+	"96.100.IN-ADDR.ARPA",
+	"97.100.IN-ADDR.ARPA",
+	"98.100.IN-ADDR.ARPA",
+	"99.100.IN-ADDR.ARPA",
+	"100.100.IN-ADDR.ARPA",
+	"101.100.IN-ADDR.ARPA",
+	"102.100.IN-ADDR.ARPA",
+	"103.100.IN-ADDR.ARPA",
+	"104.100.IN-ADDR.ARPA",
+	"105.100.IN-ADDR.ARPA",
+	"106.100.IN-ADDR.ARPA",
+	"107.100.IN-ADDR.ARPA",
+	"108.100.IN-ADDR.ARPA",
+	"109.100.IN-ADDR.ARPA",
+	"110.100.IN-ADDR.ARPA",
+	"111.100.IN-ADDR.ARPA",
+	"112.100.IN-ADDR.ARPA",
+	"113.100.IN-ADDR.ARPA",
+	"114.100.IN-ADDR.ARPA",
+	"115.100.IN-ADDR.ARPA",
+	"116.100.IN-ADDR.ARPA",
+	"117.100.IN-ADDR.ARPA",
+	"118.100.IN-ADDR.ARPA",
+	"119.100.IN-ADDR.ARPA",
+	"120.100.IN-ADDR.ARPA",
+	"121.100.IN-ADDR.ARPA",
+	"122.100.IN-ADDR.ARPA",
+	"123.100.IN-ADDR.ARPA",
+	"124.100.IN-ADDR.ARPA",
+	"125.100.IN-ADDR.ARPA",
+	"126.100.IN-ADDR.ARPA",
+	"127.100.IN-ADDR.ARPA",
+
 	/* RFC 5735 and RFC 5737 */
 	"0.IN-ADDR.ARPA",	/* THIS NETWORK */
 	"127.IN-ADDR.ARPA",	/* LOOPBACK */
@ -459,7 +529,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	     element = cfg_list_next(element)) {
 		nameobj = cfg_listelt_value(element);
 		str = cfg_obj_asstring(nameobj);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		/*
@ -576,7 +646,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 				   keystruct.common.rdtype,
 				   &keystruct, &rrdatabuf));
 	dns_fixedname_init(&fkeyname);
-	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
+	isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&namebuf, strlen(keynamestr));
 	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
 	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
@ -810,7 +880,17 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	 */
 	obj = NULL;
 	(void)ns_config_get(maps, "managed-keys-directory", &obj);
-	directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
+	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
+	if (directory != NULL)
+		result = isc_file_isdirectory(directory);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "invalid managed-keys-directory %s: %s",
+			      directory, isc_result_totext(result));
+		goto cleanup;
+
+	}
 	CHECK(add_keydata_zone(view, directory, ns_g_mctx));

  cleanup:
@ -836,7 +916,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
 	{
 		obj = cfg_listelt_value(element);
 		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
@ -989,7 +1069,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	else
 		str = "*";
 	addroot = ISC_TF(strcmp(str, "*") == 0);
-	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_constinit(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
 	dns_fixedname_init(&fixed);
 	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
@ -1175,7 +1255,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
 	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
-	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_constinit(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
 	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));

@ -1227,7 +1307,7 @@ on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
 	{
 		value = cfg_listelt_value(element);
 		str = cfg_obj_asstring(value);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(name, &b, dns_rootname,
 					   0, NULL);
@ -1270,12 +1350,14 @@ check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
 }

 static isc_result_t
-setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
+setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
 	isc_result_t result;
 	isc_stats_t *zoneqrystats;

+	dns_zone_setstatlevel(zone, level);
+
 	zoneqrystats = NULL;
-	if (on) {
+	if (level == dns_zonestat_full) {
 		result = isc_stats_create(mctx, &zoneqrystats,
 					  dns_nsstatscounter_max);
 		if (result != ISC_R_SUCCESS)
@ -1323,7 +1405,7 @@ static isc_boolean_t
 cache_sharable(dns_view_t *originview, dns_view_t *view,
 	       isc_boolean_t new_zero_no_soattl,
 	       unsigned int new_cleaning_interval,
-	       isc_uint32_t new_max_cache_size)
+	       isc_uint64_t new_max_cache_size)
 {
 	/*
 	 * If the cache cannot even reused for the same view, it cannot be
@ -1411,7 +1493,7 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
 		dns64_dbtype[3] = contact;
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
-	isc_buffer_init(&b, reverse, strlen(reverse));
+	isc_buffer_constinit(&b, reverse, strlen(reverse));
 	isc_buffer_add(&b, strlen(reverse));
 	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 	CHECK(dns_zone_create(&zone, mctx));
@ -1429,7 +1511,7 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
 	dns_zone_setdialup(zone, dns_dialuptype_no);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
-	CHECK(setquerystats(zone, mctx, ISC_FALSE));	/* XXXMPA */
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none));	/* XXXMPA */
 	CHECK(dns_view_addzone(view, zone));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
@ -1441,40 +1523,58 @@ cleanup:
 	return (result);
 }

+static isc_result_t
+configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		   const char *str, const char *msg)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid %s '%s'", msg, str);
+	return (result);
+}
+
+static isc_result_t
+configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		    const char *str, const dns_name_t *origin)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+	return (result);
+}
+
 static isc_result_t
 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
 {
-	const cfg_obj_t *rpz_obj, *policy_obj, *obj;
+	const cfg_obj_t *rpz_obj, *obj;
 	const char *str;
 	dns_rpz_zone_t *old, *new;
-	dns_zone_t *zone = NULL;
 	isc_result_t result;

+	rpz_obj = cfg_listelt_value(element);
+
 	new = isc_mem_get(view->mctx, sizeof(*new));
 	if (new == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "no memory for response policy zones");
+		return (ISC_R_NOMEMORY);
 	}

 	memset(new, 0, sizeof(*new));
 	dns_name_init(&new->origin, NULL);
 	dns_name_init(&new->nsdname, NULL);
-	dns_name_init(&new->cname, NULL);
 	dns_name_init(&new->passthru, NULL);
+	dns_name_init(&new->cname, NULL);
 	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);

-	rpz_obj = cfg_listelt_value(element);
-	policy_obj = cfg_tuple_get(rpz_obj, "policy");
-	if (cfg_obj_isvoid(policy_obj)) {
-		new->policy = DNS_RPZ_POLICY_GIVEN;
-	} else {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
-						     "policy name"));
-		new->policy = dns_rpz_str2policy(str);
-		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
-	}
-
 	obj = cfg_tuple_get(rpz_obj, "recursive-only");
 	if (cfg_obj_isvoid(obj)) {
 		new->recursive_only = recursive_only_def;
@ -1492,47 +1592,14 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 	}

 	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
-	result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
-				     view->mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (dns_name_equal(&new->origin, dns_rootname)) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
+			    "invalid zone name '%s'", str);
+		return (DNS_R_EMPTYLABEL);
 	}
-
-	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
-				      &new->origin, DNS_NAME_DOWNCASE,
-				      view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
-				     DNS_NAME_DOWNCASE, view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_view_findzone(view, &new->origin, &zone);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "unknown zone '%s'", str);
-		goto cleanup;
-	}
-	if (dns_zone_gettype(zone) != dns_zone_master &&
-	    dns_zone_gettype(zone) != dns_zone_slave) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			     "zone '%s' is neither master nor slave", str);
-		dns_zone_detach(&zone);
-		result = DNS_R_NOTMASTER;
-		goto cleanup;
-	}
-	dns_zone_detach(&zone);
-
 	for (old = ISC_LIST_HEAD(view->rpz_zones);
 	     old != new;
 	     old = ISC_LIST_NEXT(old, link)) {
@ -1541,26 +1608,37 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 				    "duplicate '%s'", str);
 			result = DNS_R_DUPLICATE;
-			goto cleanup;
+			return (result);
 		}
 	}

-	if (new->policy == DNS_RPZ_POLICY_CNAME) {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
-		result = dns_name_fromstring(&new->cname, str,
-					     DNS_NAME_DOWNCASE, view->mctx);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-				    "invalid cname '%s'", str);
-			goto cleanup;
+	result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
+				     DNS_RPZ_NSDNAME_ZONE, &new->origin);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = configure_rpz_name(view, rpz_obj, &new->passthru,
+				    DNS_RPZ_PASSTHRU_ZONE, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(obj)) {
+		new->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+		new->policy = dns_rpz_str2policy(str);
+		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+		if (new->policy == DNS_RPZ_POLICY_CNAME) {
+			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
+			result = configure_rpz_name(view, rpz_obj, &new->cname,
+						    str, "cname");
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
 	}

 	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_rpz_view_destroy(view);
-	return (result);
 }

 /*
@ -1594,10 +1672,10 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
-	isc_uint32_t max_adb_size;
 	unsigned int cleaning_interval;
-	isc_uint32_t max_cache_size;
-	isc_uint32_t max_acache_size;
+	size_t max_cache_size;
+	size_t max_acache_size;
+	size_t max_adb_size;
 	isc_uint32_t lame_ttl;
 	dns_tsig_keyring_t *ring = NULL;
 	dns_view_t *pview = NULL;	/* Production view */
@ -1627,8 +1705,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
 	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
-	unsigned int query_timeout;
+	unsigned int query_timeout, ndisp;
 	struct cfg_context *nzctx;
+	dns_rpz_zone_t *rpz;

 	REQUIRE(DNS_VIEW_VALID(view));

@ -1702,18 +1781,18 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			max_acache_size = ISC_UINT32_MAX;
 		} else {
 			isc_resourcevalue_t value;
-
 			value = cfg_obj_asuint64(obj);
-			if (value > ISC_UINT32_MAX) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+			if (value > SIZE_MAX) {
+				cfg_obj_log(obj, ns_g_lctx,
+					    ISC_LOG_WARNING,
 					    "'max-acache-size "
-					    "%" ISC_PRINT_QUADFORMAT
-					    "d' is too large",
-					    value);
-				result = ISC_R_RANGE;
-				goto cleanup;
+					    "%" ISC_PRINT_QUADFORMAT "u' "
+					    "is too large for this "
+					    "system; reducing to %lu",
+					    value, (unsigned long)SIZE_MAX);
+				value = SIZE_MAX;
 			}
-			max_acache_size = (isc_uint32_t)value;
+			max_acache_size = (size_t) value;
 		}
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
@ -1726,6 +1805,53 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 					 &view->queryacl));
 	}

+	/*
+	 * Make the list of response policy zone names for a view that
+	 * is used for real lookups and so cares about hints.
+	 */
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+		const cfg_obj_t *rpz_obj;
+		isc_boolean_t recursive_only_def;
+		dns_ttl_t ttl_def;
+
+		rpz_obj = cfg_tuple_get(obj, "recursive-only");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    !cfg_obj_asboolean(rpz_obj))
+			recursive_only_def = ISC_FALSE;
+		else
+			recursive_only_def = ISC_TRUE;
+
+		rpz_obj = cfg_tuple_get(obj, "break-dnssec");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    cfg_obj_asboolean(rpz_obj))
+			view->rpz_break_dnssec = ISC_TRUE;
+		else
+			view->rpz_break_dnssec = ISC_FALSE;
+
+		rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
+		if (cfg_obj_isuint32(rpz_obj))
+			ttl_def = cfg_obj_asuint32(rpz_obj);
+		else
+			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+		rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
+		if (cfg_obj_isuint32(rpz_obj))
+			view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
+		else
+			view->rpz_min_ns_labels = 2;
+
+		element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
+		while (element != NULL) {
+			result = configure_rpz(view, element,
+					       recursive_only_def, ttl_def);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			element = cfg_list_next(element);
+		}
+	}
+
 	/*
 	 * Configure the zones.
 	 */
@ -1747,6 +1873,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 				     actx, ISC_FALSE));
 	}

+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (!rpz->defined) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
+			cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "'%s' is not a master or slave zone",
+				    namebuf);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If we're allowing added zones, then load zone configuration
 	 * from the newzone file for zones that were added during previous
@ -1837,15 +1979,17 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	} else {
 		isc_resourcevalue_t value;
 		value = cfg_obj_asuint64(obj);
-		if (value > ISC_UINT32_MAX) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+		if (value > SIZE_MAX) {
+			cfg_obj_log(obj, ns_g_lctx,
+				    ISC_LOG_WARNING,
 				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
-				    value);
-			result = ISC_R_RANGE;
-			goto cleanup;
+				    "%" ISC_PRINT_QUADFORMAT "u' "
+				    "is too large for this "
+				    "system; reducing to %lu",
+				    value, (unsigned long)SIZE_MAX);
+			value = SIZE_MAX;
 		}
-		max_cache_size = (isc_uint32_t)value;
+		max_cache_size = (size_t) value;
 	}

 	/* Check-names. */
@ -2154,7 +2298,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
+
+	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
+	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
 				      ns_g_socketmgr, ns_g_timermgr,
 				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
@ -2173,9 +2319,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
 	 */
 	max_adb_size = 0;
-	if (max_cache_size != 0) {
+	if (max_cache_size != 0U) {
 		max_adb_size = max_cache_size / 8;
-		if (max_adb_size == 0)
+		if (max_adb_size == 0U)
 			max_adb_size = 1;	/* Force minimum. */
 		if (view != nsc->primaryview &&
 		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
@ -2658,7 +2804,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			obj = cfg_listelt_value(element);
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
-			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_constinit(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			dlv = dns_fixedname_name(&view->dlv_fixed);
 			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
@ -2711,7 +2857,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			     element = cfg_list_next(element)) {
 				exclude = cfg_listelt_value(element);
 				str = cfg_obj_asstring(exclude);
-				isc_buffer_init(&b, str, strlen(str));
+				isc_buffer_constinit(&b, str, strlen(str));
 				isc_buffer_add(&b, strlen(str));
 				CHECK(dns_name_fromtext(name, &b, dns_rootname,
 							0, NULL));
@ -2752,7 +2898,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		const char *empty_dbtype[4] =
 				    { "_builtin", "empty", NULL, NULL };
 		int empty_dbtypec = 4;
-		isc_boolean_t zonestats_on;
+		dns_zonestat_level_t statlevel;

 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
@ -2761,7 +2907,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		result = ns_config_get(maps, "empty-server", &obj);
 		if (result == ISC_R_SUCCESS) {
 			str = cfg_obj_asstring(obj);
-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
 						NULL));
@ -2776,7 +2922,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		result = ns_config_get(maps, "empty-contact", &obj);
 		if (result == ISC_R_SUCCESS) {
 			str = cfg_obj_asstring(obj);
-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
 						NULL));
@ -2790,7 +2936,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "zone-statistics", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		zonestats_on = cfg_obj_asboolean(obj);
+		if (cfg_obj_isboolean(obj)) {
+			if (cfg_obj_asboolean(obj))
+				statlevel = dns_zonestat_full;
+			else
+				statlevel = dns_zonestat_terse; /* XXX */
+		} else {
+			const char *levelstr = cfg_obj_asstring(obj);
+			if (strcasecmp(levelstr, "full") == 0)
+				statlevel = dns_zonestat_full;
+			else if (strcasecmp(levelstr, "terse") == 0)
+				statlevel = dns_zonestat_terse;
+			else if (strcasecmp(levelstr, "none") == 0)
+				statlevel = dns_zonestat_none;
+			else
+				INSIST(0);
+		}

 		for (empty = empty_zones[empty_zone];
 		     empty != NULL;
@ -2799,7 +2960,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			dns_forwarders_t *forwarders = NULL;
 			dns_view_t *pview = NULL;

-			isc_buffer_init(&buffer, empty, strlen(empty));
+			isc_buffer_constinit(&buffer, empty, strlen(empty));
 			isc_buffer_add(&buffer, strlen(empty));
 			/*
 			 * Look for zone on drop list.
@ -2815,7 +2976,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			 */
 			(void)dns_view_findzone(view, name, &zone);
 			if (zone != NULL) {
-				CHECK(setquerystats(zone, mctx, zonestats_on));
 				dns_zone_detach(&zone);
 				continue;
 			}
@ -2850,13 +3010,14 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 					dns_zone_setview(zone, view);
 					CHECK(dns_view_addzone(view, zone));
 					CHECK(setquerystats(zone, mctx,
-							    zonestats_on));
+							    statlevel));
 					dns_zone_detach(&zone);
 					continue;
 				}
 			}

-			CHECK(dns_zone_create(&zone, mctx));
+			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
+						     &zone));
 			CHECK(dns_zone_setorigin(zone, name));
 			dns_zone_setview(zone, view);
 			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
@ -2874,7 +3035,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			dns_zone_setnotifytype(zone, dns_notifytype_no);
 			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
 					   ISC_TRUE);
-			CHECK(setquerystats(zone, mctx, zonestats_on));
+			CHECK(setquerystats(zone, mctx, statlevel));
 			CHECK(dns_view_addzone(view, zone));
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@ -2884,49 +3045,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		}
 	}

-	/*
-	 * Make the list of response policy zone names for views that
-	 * are used for real lookups and so care about hints.
-	 */
-		obj = NULL;
-	if (view->rdclass == dns_rdataclass_in && need_hints &&
-	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
-		const cfg_obj_t *recursive_only_obj;
-		const cfg_obj_t *break_dnssec_obj, *ttl_obj;
-		isc_boolean_t recursive_only_def;
-		dns_ttl_t ttl_def;
-
-		recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
-		if (!cfg_obj_isvoid(recursive_only_obj) &&
-		    !cfg_obj_asboolean(recursive_only_obj))
-			recursive_only_def = ISC_FALSE;
-		else
-			recursive_only_def = ISC_TRUE;
-
-		break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
-		if (!cfg_obj_isvoid(break_dnssec_obj) &&
-		    cfg_obj_asboolean(break_dnssec_obj))
-			view->rpz_break_dnssec = ISC_TRUE;
-		else
-			view->rpz_break_dnssec = ISC_FALSE;
-
-		ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
-		if (cfg_obj_isuint32(ttl_obj))
-			ttl_def = cfg_obj_asuint32(ttl_obj);
-		else
-			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
-
-		for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			result = configure_rpz(view, element,
-					       recursive_only_def, ttl_def);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rpz_set_need(ISC_TRUE);
-		}
-	}
-
 	result = ISC_R_SUCCESS;

 cleanup:
@ -3026,7 +3144,7 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 			isc_buffer_t buffer;
 			in_port_t myport = port;

-			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_constinit(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@ -3280,6 +3398,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	const char *zname;
 	dns_rdataclass_t zclass;
 	const char *ztypestr;
+	isc_boolean_t is_rpz;
+	dns_rpz_zone_t *rpz;

 	options = NULL;
 	(void)cfg_map_get(config, "options", &options);
@ -3290,7 +3410,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 * Get the zone origin as a dns_name_t.
 	 */
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	isc_buffer_init(&buffer, zname, strlen(zname));
+	isc_buffer_constinit(&buffer, zname, strlen(zname));
 	isc_buffer_add(&buffer, strlen(zname));
 	dns_fixedname_init(&fixorigin);
 	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
@ -3410,7 +3530,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			dns_zone_attach(pview->redirect, &zone);
 			dns_zone_setview(zone, view);
 		} else {
-			CHECK(dns_zone_create(&zone, mctx));
+			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
+						     &zone));
 			CHECK(dns_zone_setorigin(zone, origin));
 			dns_zone_setview(zone, view);
 			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
@ -3439,6 +3560,21 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	}
 	INSIST(dupzone == NULL);

+	/*
+	 * Note whether this is a response policy zone.
+	 */
+	is_rpz = ISC_FALSE;
+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (dns_name_equal(&rpz->origin, origin)) {
+			is_rpz = ISC_TRUE;
+			rpz->defined = ISC_TRUE;
+			break;
+		}
+	}
+
 	/*
 	 * See if we can reuse an existing zone.  This is
 	 * only possible if all of these are true:
@ -3447,6 +3583,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 *   - The zone is compatible with the config
 	 *     options (e.g., an existing master zone cannot
 	 *     be reused if the options specify a slave zone)
+	 *   - The zone was and is or was not and is not a policy zone
 	 */
 	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
 				   view->rdclass, &pview);
@ -3460,6 +3597,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
 		dns_zone_detach(&zone);

+	if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
+		dns_zone_detach(&zone);
+
 	if (zone != NULL) {
 		/*
 		 * We found a reusable zone.  Make it use the
@ -3473,7 +3613,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		 * We cannot reuse an existing zone, we have
 		 * to create a new one.
 		 */
-		CHECK(dns_zone_create(&zone, mctx));
+		CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
 		CHECK(dns_zone_setorigin(zone, origin));
 		dns_zone_setview(zone, view);
 		if (view->acache != NULL)
@ -3482,6 +3622,19 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		dns_zone_setstats(zone, ns_g_server->zonestats);
 	}

+	if (is_rpz) {
+		result = dns_zone_rpz_enable(zone);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': incompatible"
+				      " masterfile-format or database"
+				      " for a response policy zone",
+				      zname);
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If the zone contains a 'forwarders' statement, configure
 	 * selective forwarding.
@ -3591,7 +3744,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
 	}

 	/* No existing keydata zone was found; create one */
-	CHECK(dns_zone_create(&zone, mctx));
+	CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
 	CHECK(dns_zone_setorigin(zone, dns_rootname));

 	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
@ -3625,7 +3778,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
 	dns_zone_setjournalsize(zone, 0);

 	dns_zone_setstats(zone, ns_g_server->zonestats);
-	CHECK(setquerystats(zone, mctx, ISC_FALSE));
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none));

 	if (view->managed_keys != NULL)
 		dns_zone_detach(&view->managed_keys);
@ -4180,7 +4333,7 @@ configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	keynamestr = cfg_obj_asstring(obj);
 	dns_fixedname_init(&fname);
-	isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
+	isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&buffer, strlen(keynamestr));
 	keyname = dns_fixedname_name(&fname);
 	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
@ -5327,12 +5480,16 @@ load_zones(ns_server_t *server) {
 	{
 		if (view->managed_keys != NULL) {
 			result = dns_zone_load(view->managed_keys);
-			if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE)
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
 				goto cleanup;
 		}
 		if (view->redirect != NULL) {
 			result = dns_zone_load(view->redirect);
-			if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE)
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
 				goto cleanup;
 		}

@ -5977,6 +6134,7 @@ zone_from_args(ns_server_t *server, char *args, const char *zonetxt,
 	dns_rdataclass_t rdclass;

 	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(zonename == NULL || *zonename == NULL);

 	input = args;

@ -5992,7 +6150,7 @@ zone_from_args(ns_server_t *server, char *args, const char *zonetxt,
 		zonetxt = next_token(&input, " \t");
 	if (zonetxt == NULL)
 		return (ISC_R_SUCCESS);
-	if (zonename)
+	if (zonename != NULL)
 		*zonename = zonetxt;

 	/* Look for the optional class name. */
@ -6002,7 +6160,7 @@ zone_from_args(ns_server_t *server, char *args, const char *zonetxt,
 		viewtxt = next_token(&input, " \t");
 	}

-	isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
+	isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt));
 	isc_buffer_add(&buf, strlen(zonetxt));
 	dns_fixedname_init(&name);
 	result = dns_name_fromtext(dns_fixedname_name(&name),
@ -6939,7 +7097,7 @@ ns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree) {
 	if (target == NULL)
 		return (ISC_R_UNEXPECTEDEND);

-	isc_buffer_init(&b, target, strlen(target));
+	isc_buffer_constinit(&b, target, strlen(target));
 	isc_buffer_add(&b, strlen(target));
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
@ -7612,7 +7770,7 @@ ns_server_add_zone(ns_server_t *server, char *args) {
 	CHECK(cfg_map_get(config, "addzone", &parms));

 	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
-	isc_buffer_init(&buf, zonename, strlen(zonename));
+	isc_buffer_constinit(&buf, zonename, strlen(zonename));
 	isc_buffer_add(&buf, strlen(zonename));
 	dns_name_init(&dnsname, NULL);
 	isc_buffer_allocate(server->mctx, &nbuf, 256);
@ -7676,7 +7834,8 @@ ns_server_add_zone(ns_server_t *server, char *args) {
 	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));

 	/* Mark view unfrozen so that zone can be added */
-	isc_task_beginexclusive(server->task);
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_view_thaw(view);
 	result = configure_zone(cfg->config, parms, vconfig,
 				server->mctx, view, cfg->actx, ISC_FALSE);
@ -7785,8 +7944,7 @@ ns_server_del_zone(ns_server_t *server, char *args) {

 	/* Parse parameters */
 	CHECK(zone_from_args(server, args, NULL, &zone, &zonename, ISC_TRUE));
-	if (result != ISC_R_SUCCESS)
-		return (result);
+
 	if (zone == NULL) {
 		result = ISC_R_UNEXPECTEDEND;
 		goto cleanup;
@ -7801,8 +7959,8 @@ ns_server_del_zone(ns_server_t *server, char *args) {
 		goto cleanup;
 	}

-	if (zonename != NULL)
-		znamelen = strlen(zonename);
+	INSIST(zonename != NULL);
+	znamelen = strlen(zonename);

 	/* Dig out configuration for this zone */
 	view = dns_zone_getview(zone);
@ -7967,7 +8125,7 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
 	isc_boolean_t chain = ISC_FALSE;
 	char keystr[DNS_SECALG_FORMATSIZE + 7];
-	isc_uint8_t hash = 0, flags = 0, iter = 0, saltlen = 0;
+	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
 	unsigned char salt[255];
 	const char *ptr;
 	size_t n;
@ -8014,11 +8172,13 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
 				     hashstr, flagstr, iterstr);
 			if (n == sizeof(nbuf))
 				return (ISC_R_NOSPACE);
-			n = sscanf(nbuf, "%hhd %hhd %hhd",
-				   &hash, &flags, &iter);
-			if (n != 3)
+			n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
+			if (n != 3U)
 				return (ISC_R_BADNUMBER);

+			if (hash > 0xffU || flags > 0xffU)
+				return (ISC_R_RANGE);
+
 			ptr = next_token(&args, " \t");
 			if (ptr == NULL)
 				return (ISC_R_UNEXPECTEDEND);
@ -8042,8 +8202,10 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
 		isc_buffer_putstr(text, "request queued");
 		isc_buffer_putuint8(text, 0);
 	} else if (chain) {
-		CHECK(dns_zone_setnsec3param(zone, hash, flags, iter,
-						saltlen, salt, ISC_TRUE));
+		CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash,
+					     (isc_uint8_t)flags, iter,
+					     (isc_uint8_t)saltlen, salt,
+					     ISC_TRUE));
 		isc_buffer_putstr(text, "request queued");
 		isc_buffer_putuint8(text, 0);
 	} else if (list) {
--- a/external/bsd/bind/dist/bin/named/statschannel.c
+++ b/external/bsd/bind/dist/bin/named/statschannel.c
@ -1,7 +1,7 @@
-/*	$NetBSD: statschannel.c,v 1.5 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: statschannel.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -45,7 +45,11 @@
 #include <named/server.h>
 #include <named/statschannel.h>

-#include "bind9.xsl.h"
+#ifdef NEWSTATS
+	#include "bind9.ver3.xsl.h"
+#else /* OLDSTATS */
+	#include "bind9.xsl.h"
+#endif /* NEWSTATS */

 struct ns_statschannel {
 	/* Unlocked */
@ -189,7 +193,7 @@ init_desc(void) {
 	SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL");
 	SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR");
 	SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN");
-	SET_NSSTATDESC(recursion, "queries caused recursion","QryRecursion");
+	SET_NSSTATDESC(recursion, "queries caused recursion", "QryRecursion");
 	SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate");
 	SET_NSSTATDESC(dropped, "queries dropped", "QryDropped");
 	SET_NSSTATDESC(failure, "other query failures", "QryFailure");
@ -204,6 +208,8 @@ init_desc(void) {
 	SET_NSSTATDESC(updatebadprereq,
 		       "updates rejected due to prerequisite failure",
 		       "UpdateBadPrereq");
+	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+		       "RPZRewrites");
 	INSIST(i == dns_nsstatscounter_max);

 	/* Initialize resolver statistics */
@ -304,7 +310,8 @@ init_desc(void) {
 	SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6");
 	SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4");
 	SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6");
-	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded","XfrSuccess");
+	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded",
+			 "XfrSuccess");
 	SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail");
 	INSIST(i == dns_zonestatscounter_max);

@ -427,7 +434,7 @@ init_desc(void) {
 	do { \
 		set_desc(dns_dnssecstats_ ## counterid, \
 			 dns_dnssecstats_max, \
-			 desc, dnssecstats_desc,\
+			 desc, dnssecstats_desc, \
 			 xmldesc, dnssecstats_xmldesc); \
 		dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \
 	} while (/*CONSTCOND*/0)
@ -519,6 +526,51 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
 			break;
 		case statsformat_xml:
 #ifdef HAVE_LIBXML2
+#ifdef NEWSTATS
+		writer = arg;
+
+		if (category != NULL) {
+			/* <NameOfCategory> */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       category));
+			/* <name> inside category */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "name"));
+			TRY0(xmlTextWriterWriteString(writer,
+						      ISC_XMLCHAR
+						      desc[index]));
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </name> */
+
+			/* <counter> */
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "counter"));
+			TRY0(xmlTextWriterWriteFormatString(writer,
+				"%" ISC_PRINT_QUADFORMAT "u", value));
+
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </counter> */
+			TRY0(xmlTextWriterEndElement(writer));
+			/* </NameOfCategory> */
+
+		} else {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR
+						       "counter"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+							 ISC_XMLCHAR
+							 "name",
+							 ISC_XMLCHAR
+							 desc[index]));
+			TRY0(xmlTextWriterWriteFormatString(writer,
+				"%" ISC_PRINT_QUADFORMAT "u", value));
+			TRY0(xmlTextWriterEndElement(writer));
+			/* counter */
+		}
+#else /* !NEWSTATS */
 			writer = arg;

 			if (category != NULL) {
@ -548,17 +600,73 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
 			TRY0(xmlTextWriterEndElement(writer)); /* counter */
 			if (category != NULL)
 				TRY0(xmlTextWriterEndElement(writer)); /* category */
-#endif
+#endif /* NEWSTATS */
+#endif /* LIBXML2 */
 			break;
 		}
 	}
 	return (ISC_R_SUCCESS);
 #ifdef HAVE_LIBXML2
 error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at dump_counters()");
 	return (ISC_R_FAILURE);
 #endif
 }

+#ifdef NEWSTATS
+static void
+rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
+	char typebuf[64];
+	const char *typestr;
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+	int xmlrc;
+#endif
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
+	    == 0) {
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	} else
+		typestr = "Others";
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+
+		writer = dumparg->arg;
+
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR typestr));
+
+		TRY0(xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       val));
+
+		TRY0(xmlTextWriterEndElement(writer)); /* type */
+#endif
+		break;
+	}
+	return;
+#ifdef HAVE_LIBXML2
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at rdtypestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
+}
+#else  /* NEWSTATS */
 static void
 rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	char typebuf[64];
@ -610,6 +718,7 @@ rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	return;
 #endif
 }
+#endif  /* NEWSTATS */

 static void
 rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
@ -668,11 +777,58 @@ rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	return;
 #ifdef HAVE_LIBXML2
 error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at rdatasetstats_dump()");
 	dumparg->result = ISC_R_FAILURE;
 #endif

 }

+#ifdef NEWSTATS
+static void
+opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
+	FILE *fp;
+	isc_buffer_t b;
+	char codebuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+	int xmlrc;
+#endif
+
+	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
+	dns_opcode_totext(code, &b);
+	codebuf[isc_buffer_usedlength(&b)] = '\0';
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR codebuf ));
+		TRY0(xmlTextWriterWriteFormatString(writer,
+						       "%" ISC_PRINT_QUADFORMAT "u",
+						       val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+#endif
+		break;
+	}
+	return;
+
+#ifdef HAVE_LIBXML2
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed at opcodestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
+}
+#else  /* NEWSTATS */
 static void
 opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
 	FILE *fp;
@ -721,12 +877,96 @@ opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
 	return;
 #endif
 }
+#endif  /* NEWSTATS */

 #ifdef HAVE_LIBXML2

-/* XXXMLG below here sucks. */
+/* XXXMLG below here sucks. (not so much) */

+#ifdef NEWSTATS
+static isc_result_t
+zone_xmlrender(dns_zone_t *zone, void *arg) {
+	isc_result_t result;
+	char buf[1024 + 32];	/* sufficiently large for zone name and class */
+	char *zone_name_only = NULL;
+	dns_rdataclass_t rdclass;
+	isc_uint32_t serial;
+	xmlTextWriterPtr writer = arg;
+	isc_stats_t *zonestats;
+	dns_stats_t *rcvquerystats;
+	dns_zonestat_level_t statlevel;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	int xmlrc;
+	stats_dumparg_t dumparg;

+	statlevel = dns_zone_getstatlevel(zone);
+	if (statlevel == dns_zonestat_none)
+		return (ISC_R_SUCCESS);
+
+	dumparg.type = statsformat_xml;
+	dumparg.arg = writer;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
+	dns_zone_name(zone, buf, sizeof(buf));
+	zone_name_only = strtok(buf, "/");
+	if(zone_name_only == NULL)
+		zone_name_only = buf;
+
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+					 ISC_XMLCHAR zone_name_only));
+	rdclass = dns_zone_getclass(zone);
+	dns_rdataclass_format(rdclass, buf, sizeof(buf));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
+					 ISC_XMLCHAR buf));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
+	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
+		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
+	else
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
+	TRY0(xmlTextWriterEndElement(writer)); /* serial */
+
+	zonestats = dns_zone_getrequeststats(zone);
+	rcvquerystats = dns_zone_getrcvquerystats(zone);
+	if (statlevel == dns_zonestat_full && zonestats != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "rcode"));
+
+		result = dump_counters(zonestats, statsformat_xml, writer,
+				       NULL, nsstats_xmldesc,
+				       dns_nsstatscounter_max, nsstats_index,
+				       nsstat_values, ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		/* counters type="rcode"*/
+		TRY0(xmlTextWriterEndElement(writer));
+	}
+
+	if (statlevel == dns_zonestat_full && rcvquerystats != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "qtype"));
+
+		dumparg.result = ISC_R_SUCCESS;
+		dns_rdatatypestats_dump(rcvquerystats, rdtypestat_dump,
+					&dumparg, 0);
+		if(dumparg.result != ISC_R_SUCCESS)
+			goto error;
+
+		/* counters type="qtype"*/
+		TRY0(xmlTextWriterEndElement(writer));
+	}
+
+	TRY0(xmlTextWriterEndElement(writer)); /* zone */
+
+	return (ISC_R_SUCCESS);
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "Failed at zone_xmlrender()");
+	return (ISC_R_FAILURE);
+}
+#else  /* NEWSTATS */
 static isc_result_t
 zone_xmlrender(dns_zone_t *zone, void *arg) {
 	char buf[1024 + 32];	/* sufficiently large for zone name and class */
@ -776,7 +1016,237 @@ zone_xmlrender(dns_zone_t *zone, void *arg) {
 error:
 	return (ISC_R_FAILURE);
 }
+#endif  /* NEWSTATS */

+#ifdef NEWSTATS
+static isc_result_t
+generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	isc_time_t now;
+	xmlTextWriterPtr writer = NULL;
+	xmlDocPtr doc = NULL;
+	int xmlrc;
+	dns_view_t *view;
+	stats_dumparg_t dumparg;
+	dns_stats_t *cacherrstats;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	isc_uint64_t resstat_values[dns_resstatscounter_max];
+	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
+	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
+	isc_result_t result;
+
+	isc_time_now(&now);
+	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
+	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
+
+	writer = xmlNewTextWriterDoc(&doc, 0);
+	if (writer == NULL)
+		goto error;
+	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
+	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
+			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.ver3.xsl\""));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "3.0"));
+
+	/* Set common fields for statistics dump */
+	dumparg.type = statsformat_xml;
+	dumparg.arg = writer;
+
+	/*
+	 * Start by rendering the views we know of here.  For each view we
+	 * know of, call its rendering function.
+	 */
+	view = ISC_LIST_HEAD(server->viewlist);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
+	while (view != NULL) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR view->name));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
+		result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
+				      writer);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		TRY0(xmlTextWriterEndElement(writer)); /* zones */
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resqtype"));
+
+		if (view->resquerystats != NULL) {
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatatypestats_dump(view->resquerystats,
+						rdtypestat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer));
+
+		/* <resstats> */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resstats"));
+		if (view->resstats != NULL) {
+			result = dump_counters(view->resstats,
+					       statsformat_xml, writer,
+					       NULL, resstats_xmldesc,
+					       dns_resstatscounter_max,
+					       resstats_index, resstat_values,
+					       ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS)
+				goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* </resstats> */
+
+		cacherrstats = dns_db_getrrsetstats(view->cachedb);
+		if (cacherrstats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "cache"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+					 ISC_XMLCHAR "name",
+					 ISC_XMLCHAR
+					 dns_cache_getname(view->cache)));
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatasetstats_dump(cacherrstats, rdatasetstats_dump,
+					       &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
+			TRY0(xmlTextWriterEndElement(writer)); /* cache */
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* view */
+
+		view = ISC_LIST_NEXT(view, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* views */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
+	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
+	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
+	TRY0(xmlTextWriterEndElement(writer)); /* boot-time */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
+	TRY0(xmlTextWriterEndElement(writer));  /* current-time */
+
+	dumparg.result = ISC_R_SUCCESS;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "opcode"));
+
+	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
+			     0);
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=opcode */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "qtype"));
+
+	dumparg.result = ISC_R_SUCCESS;
+	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
+				&dumparg, 0);
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+	TRY0(xmlTextWriterEndElement(writer)); /* counters */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "nsstat"));
+
+	result = dump_counters(server->nsstats, statsformat_xml,
+			       writer, NULL, nsstats_xmldesc,
+			       dns_nsstatscounter_max,
+			       nsstats_index, nsstat_values,
+			       ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=nsstat */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "zonestat"));
+
+	result = dump_counters(server->zonestats, statsformat_xml, writer,
+			       NULL, zonestats_xmldesc,
+			       dns_zonestatscounter_max, zonestats_index,
+			       zonestat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=zonestat */
+
+	/*
+	 * Most of the common resolver statistics entries are 0, so we don't
+	 * use the verbose dump here.
+	 */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "resstat"));
+	result = dump_counters(server->resolverstats, statsformat_xml,
+			       writer, NULL, resstats_xmldesc,
+			       dns_resstatscounter_max, resstats_index,
+			       resstat_values, 0);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=resstat */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+					 ISC_XMLCHAR "sockstat"));
+
+	result = dump_counters(server->sockstats, statsformat_xml,
+			       writer, NULL, sockstats_xmldesc,
+			       isc_sockstatscounter_max, sockstats_index,
+			       sockstat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	TRY0(xmlTextWriterEndElement(writer)); /* counters type=sockstat */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* server */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
+	isc_mem_renderxml(writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* memory */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
+
+	TRY0(xmlTextWriterEndDocument(writer));
+
+	xmlFreeTextWriter(writer);
+
+	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 0);
+	xmlFreeDoc(doc);
+	return (ISC_R_SUCCESS);
+
+ error:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_ERROR, "failed generating XML response");
+	if (writer != NULL)
+		xmlFreeTextWriter(writer);
+	if (doc != NULL)
+		xmlFreeDoc(doc);
+	return (ISC_R_FAILURE);
+}
+#else /* OLDSTATS */
 static isc_result_t
 generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
@ -879,11 +1349,11 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	TRY0(xmlTextWriterEndElement(writer)); /* views */

 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
-	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(isc_socketmgr_renderxml(ns_g_socketmgr, writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */

 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
-	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(isc_taskmgr_renderxml(ns_g_taskmgr, writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */

 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
@ -946,7 +1416,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	TRY0(xmlTextWriterEndElement(writer)); /* server */

 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
-	isc_mem_renderxml(writer);
+	TRY0(isc_mem_renderxml(writer));
 	TRY0(xmlTextWriterEndElement(writer)); /* memory */

 	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
@ -968,6 +1438,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 		xmlFreeDoc(doc);
 	return (ISC_R_FAILURE);
 }
+#endif /* NEWSTATS */

 static void
 wrap_xmlfree(isc_buffer_t *buffer, void *arg) {
@ -1000,7 +1471,10 @@ render_index(const char *url, const char *querystring, void *arg,
 		isc_buffer_add(b, msglen);
 		*freecb = wrap_xmlfree;
 		*freecb_args = NULL;
-	}
+	} else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "failed at rendering XML()");

 	return (result);
 }
@ -1032,7 +1506,7 @@ static void
 shutdown_listener(ns_statschannel_t *listener) {
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,NS_LOGMODULE_SERVER,
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_NOTICE, "stopping statistics channel on %s",
 		      socktext);

@ -1150,10 +1624,22 @@ add_listener(ns_server_t *server, ns_statschannel_t **listenerp,

 #ifdef HAVE_LIBXML2
 	isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml", render_index, server);
+#ifdef NEWSTATS
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", render_index,
+			    server);
+#else /* OLDSTATS */
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v2", render_index,
+			    server);
+#endif /* NEWSTATS */
 #endif
+#ifdef NEWSTATS
+	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.ver3.xsl", render_xsl,
+			    server);
+#else /* OLDSTATS */
 	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", render_xsl,
 			    server);
-
+#endif /* NEWSTATS */
 	*listenerp = listener;
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_NOTICE,
@ -1285,7 +1771,8 @@ ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
 				obj = cfg_tuple_get(listen_params, "address");
 				addr = *cfg_obj_assockaddr(obj);
 				if (isc_sockaddr_getport(&addr) == 0)
-					isc_sockaddr_setport(&addr, NS_STATSCHANNEL_HTTPPORT);
+					isc_sockaddr_setport(&addr,
+						     NS_STATSCHANNEL_HTTPPORT);

 				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
--- a/external/bsd/bind/dist/bin/named/tkeyconf.c
+++ b/external/bsd/bind/dist/bin/named/tkeyconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: tkeyconf.c,v 1.3 2012/06/05 00:39:05 christos Exp $	*/
+/*	$NetBSD: tkeyconf.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -75,7 +75,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
 		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
@ -89,7 +89,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 	result = cfg_map_get(options, "tkey-domain", &obj);
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
@ -108,7 +108,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);

-		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_constinit(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
--- a/external/bsd/bind/dist/bin/named/tsigconf.c
+++ b/external/bsd/bind/dist/bin/named/tsigconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: tsigconf.c,v 1.3 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: tsigconf.c,v 1.4 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -80,7 +80,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		 * Create the key name.
 		 */
 		dns_name_init(&keyname, NULL);
-		isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
+		isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid));
 		isc_buffer_add(&keynamesrc, strlen(keyid));
 		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
 		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
--- a/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c
+++ b/external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dlz_dlopen_driver.c,v 1.2 2012/12/04 23:38:38 spz Exp $	*/
+/*	$NetBSD: dlz_dlopen_driver.c,v 1.3 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -230,7 +230,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
 		return (ISC_R_FAILURE);
 	}

-	isc_mem_create(0, 0, &mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);

 	cd = isc_mem_get(mctx, sizeof(*cd));
 	if (cd == NULL) {
@ -252,7 +254,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
 	}

 	/* Initialize the lock */
-	isc_mutex_init(&cd->lock);
+	result = isc_mutex_init(&cd->lock);
+	if (result != ISC_R_SUCCESS)
+		goto failed;

 	/* Open the library */
 	dlopen_flags = RTLD_NOW|RTLD_GLOBAL;
@ -356,11 +360,11 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],

 failed:
 	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
-	if (cd->dl_path)
+	if (cd->dl_path != NULL)
 		isc_mem_free(mctx, cd->dl_path);
-	if (cd->dlzname)
+	if (cd->dlzname != NULL)
 		isc_mem_free(mctx, cd->dlzname);
-	if (dlopen_flags)
+	if (dlopen_flags != 0)
 		(void) isc_mutex_destroy(&cd->lock);
 #ifdef HAVE_DLCLOSE
 	if (cd->dl_handle)
--- a/external/bsd/bind/dist/bin/named/update.c
+++ b/external/bsd/bind/dist/bin/named/update.c
@ -1,7 +1,7 @@
-/*	$NetBSD: update.c,v 1.5 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: update.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -2371,7 +2371,8 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
 		ISC_LIST_APPEND(diff->tuples, tuple, link);

-		dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if ((dnskey.flags &
 		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
 			 != DNS_KEYOWNER_ZONE)
--- a/external/bsd/bind/dist/bin/named/xfrout.c
+++ b/external/bsd/bind/dist/bin/named/xfrout.c
@ -1,7 +1,7 @@
-/*	$NetBSD: xfrout.c,v 1.4 2012/06/05 00:39:06 christos Exp $	*/
+/*	$NetBSD: xfrout.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -249,7 +249,8 @@ ixfr_rrstream_create(isc_mem_t *mctx,
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &ixfr_rrstream_methods;
 	s->journal = NULL;

@ -291,7 +292,7 @@ ixfr_rrstream_destroy(rrstream_t **rsp) {
 	ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp;
 	if (s->journal != 0)
 		dns_journal_destroy(&s->journal);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }

 static rrstream_methods_t ixfr_rrstream_methods = {
@ -337,7 +338,8 @@ axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &axfr_rrstream_methods;
 	s->it_valid = ISC_FALSE;

@ -415,7 +417,7 @@ axfr_rrstream_destroy(rrstream_t **rsp) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
 	if (s->it_valid)
 		dns_rriterator_destroy(&s->it);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }

 static rrstream_methods_t axfr_rrstream_methods = {
@ -457,7 +459,8 @@ soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &soa_rrstream_methods;
 	s->soa_tuple = NULL;

@ -499,7 +502,7 @@ soa_rrstream_destroy(rrstream_t **rsp) {
 	soa_rrstream_t *s = (soa_rrstream_t *) *rsp;
 	if (s->soa_tuple != NULL)
 		dns_difftuple_free(&s->soa_tuple);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }

 static rrstream_methods_t soa_rrstream_methods = {
@ -563,7 +566,8 @@ compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
 		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
 	s->common.methods = &compound_rrstream_methods;
 	s->components[0] = *soa_stream;
 	s->components[1] = *data_stream;
@ -636,7 +640,7 @@ compound_rrstream_destroy(rrstream_t **rsp) {
 	s->components[0]->methods->destroy(&s->components[0]);
 	s->components[1]->methods->destroy(&s->components[1]);
 	s->components[2] = NULL; /* Copy of components[0]. */
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
 }

 static rrstream_methods_t compound_rrstream_methods = {
@ -835,14 +839,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
 				      question_name, question_class);
 			is_dlz = ISC_TRUE;
-			/*
-			 * DLZ only support full zone transfer, not incremental
-			 */
-			if (reqtype != dns_rdatatype_axfr) {
-				mnemonic = "AXFR-style IXFR";
-				reqtype = dns_rdatatype_axfr;
-			}
-
 		} else {
 			/*
 			 * not DLZ and not in normal zone table, we are
@ -854,12 +850,14 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	} else {
 		/* zone table has a match */
 		switch(dns_zone_gettype(zone)) {
+			/* Master and slave zones are OK for transfer. */
 			case dns_zone_master:
 			case dns_zone_slave:
 			case dns_zone_dlz:
-				break;	/* Master and slave zones are OK for transfer. */
+				break;
 			default:
-				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				      question_name, question_class);
 			}
 		CHECK(dns_zone_getdb(zone, &db));
 		dns_db_currentversion(db, &ver);
@ -994,7 +992,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 			is_poll = ISC_TRUE;
 			goto have_stream;
 		}
-		journalfile = dns_zone_getjournal(zone);
+		journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
 		if (journalfile != NULL)
 			result = ixfr_rrstream_create(mctx,
 						      journalfile,
--- a/external/bsd/bind/dist/bin/named/zoneconf.c
+++ b/external/bsd/bind/dist/bin/named/zoneconf.c
@ -1,7 +1,7 @@
-/*	$NetBSD: zoneconf.c,v 1.4 2012/06/05 00:39:07 christos Exp $	*/
+/*	$NetBSD: zoneconf.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -58,6 +58,7 @@
 typedef enum {
 	allow_notify,
 	allow_query,
+	allow_query_on,
 	allow_transfer,
 	allow_update,
 	allow_update_forwarding
@ -106,6 +107,11 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 			aclp = &view->queryacl;
 		aclname = "allow-query";
 		break;
+	    case allow_query_on:
+		if (view != NULL)
+			aclp = &view->queryonacl;
+		aclname = "allow-query-on";
+		break;
 	    case allow_transfer:
 		if (view != NULL)
 			aclp = &view->transferacl;
@ -271,7 +277,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,

 		dns_fixedname_init(&fident);
 		str = cfg_obj_asstring(identity);
-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
 					   dns_rootname, 0, NULL);
@ -294,7 +300,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 			}
 		} else {
 			str = cfg_obj_asstring(dname);
-			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_constinit(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			result = dns_name_fromtext(dns_fixedname_name(&fname),
 						   &b, dns_rootname, 0, NULL);
@ -527,7 +533,7 @@ configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
 		dns_fixedname_init(&fixed_name);
 		nsname = dns_fixedname_name(&fixed_name);

-		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_constinit(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS) {
@ -820,7 +826,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t ixfrdiff;
 	dns_masterformat_t masterformat;
 	isc_stats_t *zoneqrystats;
-	isc_boolean_t zonestats_on;
+#ifdef NEWSTATS
+	dns_stats_t *rcvquerystats;
+#endif
+	dns_zonestat_level_t statlevel;
 	int seconds;
 	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;

@ -928,7 +937,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 	}

-	if (raw != NULL) {
+	if (raw != NULL && filename != NULL) {
 #define SIGNED ".signed"
 		size_t signedlen = strlen(filename) + sizeof(SIGNED);
 		char *signedname;
@ -969,6 +978,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				  dns_zone_setqueryacl,
 				  dns_zone_clearqueryacl));

+	RETERR(configure_zone_acl(zconfig, vconfig, config,
+				  allow_query_on, ac, zone,
+				  dns_zone_setqueryonacl,
+				  dns_zone_clearqueryonacl));
+
 	obj = NULL;
 	result = ns_config_get(maps, "dialup", &obj);
 	INSIST(result == ISC_R_SUCCESS && obj != NULL);
@ -997,16 +1011,49 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	obj = NULL;
 	result = ns_config_get(maps, "zone-statistics", &obj);
 	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-	zonestats_on = cfg_obj_asboolean(obj);
-	zoneqrystats = NULL;
-	if (zonestats_on) {
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			statlevel = dns_zonestat_full;
+		else
+			statlevel = dns_zonestat_terse; /* XXX */
+	} else {
+		const char *levelstr = cfg_obj_asstring(obj);
+		if (strcasecmp(levelstr, "full") == 0)
+			statlevel = dns_zonestat_full;
+		else if (strcasecmp(levelstr, "terse") == 0)
+			statlevel = dns_zonestat_terse;
+		else if (strcasecmp(levelstr, "none") == 0)
+			statlevel = dns_zonestat_none;
+		else
+			INSIST(0);
+	}
+	dns_zone_setstatlevel(zone, statlevel);
+
+	zoneqrystats  = NULL;
+#ifdef NEWSTATS
+	rcvquerystats = NULL;
+#endif
+	if (statlevel == dns_zonestat_full) {
 		RETERR(isc_stats_create(mctx, &zoneqrystats,
 					dns_nsstatscounter_max));
+#ifdef NEWSTATS
+		RETERR(dns_rdatatypestats_create(mctx,
+					&rcvquerystats));
+#endif
 	}
-	dns_zone_setrequeststats(zone, zoneqrystats);
+	dns_zone_setrequeststats(zone,  zoneqrystats );
+#ifdef NEWSTATS
+	dns_zone_setrcvquerystats(zone, rcvquerystats);
+#endif
+
 	if (zoneqrystats != NULL)
 		isc_stats_detach(&zoneqrystats);

+#ifdef NEWSTATS
+	if(rcvquerystats != NULL)
+		dns_stats_detach(&rcvquerystats);
+#endif
+
 	/*
 	 * Configure master functionality.  This applies
 	 * to primary masters (type "master") and slaves
@ -1184,6 +1231,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
 				   cfg_obj_asboolean(obj));

+		obj = NULL;
+		result = ns_config_get(maps, "check-spf", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
+
 		obj = NULL;
 		result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.c
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.c
@ -1,7 +1,7 @@
-/*	$NetBSD: nsupdate.c,v 1.6 2013/03/24 18:44:39 christos Exp $	*/
+/*	$NetBSD: nsupdate.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -936,7 +936,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }

-#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:r:R::t:u:"

 static void
 pre_parse_args(int argc, char **argv) {
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch
+++ b/external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0f-patch
+++ b/external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0f-patch
--- a/external/bsd/bind/dist/bin/python/dnssec-checkds.8
+++ b/external/bsd/bind/dist/bin/python/dnssec-checkds.8
@ -1,86 +1,6 @@
-.\" Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+.\"	$NetBSD: dnssec-checkds.8,v 1.3 2013/07/27 19:23:10 christos Exp $
 .\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-checkds.8,v 1.2 2012/12/04 23:38:39 spz Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-checkds
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: April 11, 2012
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-CHECKDS" "8" "April 11, 2012" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-dsfromkey \- DNSSEC DS RR generation tool
-.SH "SYNOPSIS"
-.HP 15
-\fBdnssec\-chedkcs\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
-.HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-checkds\fR
-verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone.
-.SH "OPTIONS"
-.PP
-\-f \fIfile\fR
-.RS 4
-If a
-\fBfile\fR
-is specified, then the zone is read from that file to find the DNSKEY records. If not, then the DNSKEY records for the zone are looked up in the DNS.
-.RE
-.PP
-\-l \fIdomain\fR
-.RS 4
-Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent. For example, to check for DLV records for "example.com" in ISC's DLV zone, use:
-\fBdnssec\-checkds \-l dlv.isc.org example.com\fR
-.RE
-.PP
-\-d \fIdig path\fR
-.RS 4
-Specifies a path to a
-\fBdig\fR
-binary. Used for testing.
-.RE
-.PP
-\-D \fIdsfromkey path\fR
-.RS 4
-Specifies a path to a
-\fBdnssec\-dsfromkey\fR
-binary. Used for testing.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-dsfromkey\fR(8),
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
-.br
-.\"	$NetBSD: dnssec-checkds.8,v 1.2 2012/12/04 23:38:39 spz Exp $
-.\"
-.\" Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@ -111,10 +31,10 @@ Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-dnssec\-dsfromkey \- DNSSEC DS RR generation tool
+dnssec\-checkds \- A DNSSEC delegation consistency checking tool.
 .SH "SYNOPSIS"
 .HP 15
-\fBdnssec\-chedkcs\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
+\fBdnssec\-checkds\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
 .HP 17
 \fBdnssec\-dsfromkey\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
 .SH "DESCRIPTION"
@ -158,5 +78,5 @@ binary. Used for testing.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
+++ b/external/bsd/bind/dist/bin/python/dnssec-checkds.docbook
@ -2,7 +2,7 @@
               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
               [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
@ -17,7 +17,9 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<refentry id="man.dnssec-dsfromkey">
+<!-- Id -->
+
+<refentry id="man.dnssec-checkds">
  <refentryinfo>
    <date>April 11, 2012</date>
  </refentryinfo>
@ -29,20 +31,21 @@
  </refmeta>

  <refnamediv>
-    <refname><application>dnssec-dsfromkey</application></refname>
-    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
+    <refname><application>dnssec-checkds</application></refname>
+    <refpurpose>A DNSSEC delegation consistency checking tool.</refpurpose>
  </refnamediv>

  <docinfo>
    <copyright>
      <year>2012</year>
+      <year>2013</year>
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>dnssec-chedkcs</command>
+      <command>dnssec-checkds</command>
      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
      <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
      <arg><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
--- a/external/bsd/bind/dist/bin/rndc/rndc.c
+++ b/external/bsd/bind/dist/bin/rndc/rndc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: rndc.c,v 1.6 2013/03/24 18:44:39 christos Exp $	*/
+/*	$NetBSD: rndc.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
@ -798,6 +798,7 @@ main(int argc, char **argv) {
 					program, isc_commandline_option);
 				usage(1);
 			}
+			/* FALLTHROUGH */
 		case 'h':
 			usage(0);
 			break;
--- a/external/bsd/bind/dist/bin/tests/adb_test.c
+++ b/external/bsd/bind/dist/bin/tests/adb_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: adb_test.c,v 1.4 2013/03/24 18:44:40 christos Exp $	*/
+/*	$NetBSD: adb_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -218,7 +218,7 @@ create_view(void) {
 			      == ISC_R_SUCCESS);
 		INSIST(disp6 != NULL);

-		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10,
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
 						      socketmgr,
 						      timermgr, 0,
 						      dispatchmgr,
@ -247,7 +247,7 @@ lookup(const char *target) {
 	INSIST(target != NULL);

 	client = new_client();
-	isc_buffer_init(&t, target, strlen(target));
+	isc_buffer_constinit(&t, target, strlen(target));
 	isc_buffer_add(&t, strlen(target));
 	isc_buffer_init(&namebuf, namedata, sizeof(namedata));
 	dns_name_init(&name, NULL);
--- a/external/bsd/bind/dist/bin/tests/byaddr_test.c
+++ b/external/bsd/bind/dist/bin/tests/byaddr_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: byaddr_test.c,v 1.4 2013/03/24 18:44:40 christos Exp $	*/
+/*	$NetBSD: byaddr_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -170,7 +170,7 @@ main(int argc, char *argv[]) {
 							  512, 6, 1024,
 							  17, 19, attrs,
 							  attrs, &disp4)
-			 	      == ISC_R_SUCCESS);
+				      == ISC_R_SUCCESS);
 			INSIST(disp4 != NULL);
 		}

@ -190,16 +190,16 @@ main(int argc, char *argv[]) {
 			INSIST(disp6 != NULL);
 		}

-		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10,
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
 						      socketmgr,
 						      timermgr, 0,
 						      dispatchmgr,
 						      disp4, disp6) ==
 		      ISC_R_SUCCESS);

-	        if (disp4 != NULL)
+		if (disp4 != NULL)
 		    dns_dispatch_detach(&disp4);
-	        if (disp6 != NULL)
+		if (disp6 != NULL)
 		    dns_dispatch_detach(&disp6);
 	}

--- a/external/bsd/bind/dist/bin/tests/byname_test.c
+++ b/external/bsd/bind/dist/bin/tests/byname_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: byname_test.c,v 1.4 2013/03/24 18:44:40 christos Exp $	*/
+/*	$NetBSD: byname_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000, 2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -309,7 +309,7 @@ main(int argc, char *argv[]) {
 			INSIST(disp6 != NULL);
 		}

-		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10,
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
 						      socketmgr,
 						      timermgr, 0,
 						      dispatchmgr,
--- a/external/bsd/bind/dist/bin/tests/db/t_db.c
+++ b/external/bsd/bind/dist/bin/tests/db/t_db.c
@ -1,7 +1,7 @@
-/*	$NetBSD: t_db.c,v 1.4 2012/06/05 00:39:28 christos Exp $	*/
+/*	$NetBSD: t_db.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -60,7 +60,7 @@ t_create(const char *db_type, const char *origin, const char *class,

 	dns_fixedname_init(&dns_origin);
 	len = strlen(origin);
-	isc_buffer_init(&origin_buffer, origin, len);
+	isc_buffer_constinit(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
 				       &origin_buffer, NULL, 0, NULL);
--- a/external/bsd/bind/dist/bin/tests/db_test.c
+++ b/external/bsd/bind/dist/bin/tests/db_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: db_test.c,v 1.4 2013/03/24 18:44:40 christos Exp $	*/
+/*	$NetBSD: db_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -263,7 +263,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 	ISC_LINK_INIT(dbi, link);

 	len = strlen(origintext);
-	isc_buffer_init(&source, origintext, len);
+	isc_buffer_constinit(&source, origintext, len);
 	isc_buffer_add(&source, len);
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
@ -373,6 +373,7 @@ main(int argc, char *argv[]) {
 	dns_trust_t trust = 0;
 	unsigned int addopts;
 	isc_log_t *lctx = NULL;
+	size_t n;

 	isc__mem_register();
 	isc__task_register();
@ -398,7 +399,13 @@ main(int argc, char *argv[]) {
 				       isc_result_totext(result));
 			break;
 		case 'd':
-			strcpy(dbtype, isc_commandline_argument);
+			n = strlcpy(dbtype, isc_commandline_argument,
+				    sizeof(dbtype));
+			if (n >= sizeof(dbtype)) {
+				fprintf(stderr, "bad db type '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
 			break;
 		case 'g':
 			options |= (DNS_DBFIND_GLUEOK|DNS_DBFIND_VALIDATEGLUE);
@ -609,10 +616,11 @@ main(int argc, char *argv[]) {
 		} else if (strstr(s, "!V") == s) {
 			DBI_CHECK(dbi);
 			v = atoi(&s[2]);
-			if (v >= dbi->rcount) {
+			if (v >= dbi->rcount || v < 0) {
 				printf("unknown open version %d\n", v);
 				continue;
-			} else if (dbi->rversions[v] == NULL) {
+			}
+			if (dbi->rversions[v] == NULL) {
 				printf("version %d is not open\n", v);
 				continue;
 			}
--- a/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key
@ -1 +0,0 @@
-dh. IN KEY 0 2 2 AAEBAAAAYIHI/wjtOagNga9GILSoS02IVelgLilPE/TfhtvShsiDAXqb IfxQcj2JkuOnNLs5ttb2WZXWl5/jsSjIxHMwMF2XY4gwt/lwHBf/vgYH r7aIxnKXov1jk9rymTLHGKIOtg==
--- a/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private
+++ b/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private
@ -1,6 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 2 (DH)
-Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjo2IP//////////
-Generator(g): Ag==
-Private_value(x): bpdsGQ1jbV3f2CGN/0Pk5KM1MlkFmMryPO1J1zoGn585fRmc9Ygw6l/HKmi2ViiDNorvd9/eV9uyYO6lYZC82R3D7rST1mAqCwbg/8gNE5dXBRbRIIq3qIl6GUYYs8mK
-Public_value(y): gcj/CO05qA2Br0YgtKhLTYhV6WAuKU8T9N+G29KGyIMBepsh/FByPYmS46c0uzm21vZZldaXn+OxKMjEczAwXZdjiDC3+XAcF/++BgevtojGcpei/WOT2vKZMscYog62
--- a/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key
@ -1 +0,0 @@
-dh. IN KEY 0 2 2 AAEBAAAAYOuaKjyMXYame2F6/ZFdEmXv0a2edB+69PEZgrExA6SJlivn 4KqAsfBHr/+0BCb+7nfWeMDSh2BXnSzWkXF1wMaCHMuz9EleG1gKFKeV Q9gKli88Cb8/jbovWChrGBNp2w==
--- a/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private
+++ b/external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private
@ -1,6 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 2 (DH)
-Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjo2IP//////////
-Generator(g): Ag==
-Private_value(x): WJG0moh+QoZV+DYhqW7Z6O6TYpYGtSlN0Ym6JV6VRnzeH69OqMUFivqZorj3a3ofR/4zogNVyy5KLLj2NFTaLGP4Hcvt7uETJik6HrjLMhGf40QPXYgVK57Im0rv88Ca
-Public_value(y): 65oqPIxdhqZ7YXr9kV0SZe/RrZ50H7r08RmCsTEDpImWK+fgqoCx8Eev/7QEJv7ud9Z4wNKHYFedLNaRcXXAxoIcy7P0SV4bWAoUp5VD2AqWLzwJvz+Nui9YKGsYE2nb
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key
@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 1
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key
@ -1 +0,0 @@
-test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private
@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 0I8EqWlc8SIEQqYlKKM1EChodqF/DSBSgzr7cSvrZ+d+jmYNnETik5YBhB1ySvWB31v+p80FC01aW+tz/kkDJowgonW/CGMoSLYsUc7VXiU=
-PublicExponent: Aw==
-PrivateExponent: iwoDG5uTS2wC1xluGxd4tXBFpGuqCMA3AidSS3Kc7++ptEQJEtiXC9kfCJMvZhGfQLaujft2OgrmkcuDVtPIbQWEENhyJhb4Lk82kFXbfus=
-Prime1: /rSKuzcZY7R5cY2YWD4CiBNyj9WJMq1wWmBnb9+5M08nTl5E9NW5qQ==
-Prime2: 0Z5shXQYd16E2Gs6e5WxtO0Oqlly2KkSqXohwTQWDWTb8Pw0WTZmHQ==
-Exponent1: qc2x0iS7l82mS7O65X6sWrehtTkGIcj1kZWaSpUmIjTE3umDTePRGw==
-Exponent2: i77zA6K6+j8DOvIm/Q52eJ4JxuZMkHC3G6bBK3gOs5iSoKgi5iREEw==
-Coefficient: 3+wYZB0SJad7z2EsjzgbSlg6CawoaOvrROGSbwSiW5DCsMFROudOTw==
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key
@ -1 +0,0 @@
-test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private
@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): 73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mQ==
-Subprime(q): 2nX/+WoOUR9Nq9wUj5zK501+ATM=
-Base(g): sQaXrPC973CrnPsihNjn8niXtcsIp+2D/Aa+vNdCGCAiRG8SHebKHF36i4gtyl+9Mi2FaVMqIfn21ImmaCaJIw==
-Private_value(x): Nky4tvIwg6xlcyeHXr4k2DEZg0E=
-Public_value(y): ExO5w2Gn9dIlUVjegzEqa4Ho4h9Of36ZsmQLeOLcgIeJtcF0ubuLWptT1wyWCaM5+xH0PHtsHiL9cgvrejx0sQ==
--- a/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key
+++ b/external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key
@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 3
--- a/external/bsd/bind/dist/bin/tests/dst/dst_2_data
+++ b/external/bsd/bind/dist/bin/tests/dst/dst_2_data
@ -1,16 +0,0 @@
-#
-# data for signature verification test
-#
-# format:
-#	datafile, sigpath, keyname, keyid, alg, exp_result
-#
-t2_data_1	t2_dsasig	test.	23616	DST_ALG_DSA	ISC_R_SUCCESS
-t2_data_1	t2_rsasig	test.	54622	DST_ALG_RSAMD5	ISC_R_SUCCESS
-# wrong sig
-t2_data_1	t2_dsasig	test.	54622	DST_ALG_RSAMD5	!ISC_R_SUCCESS
-# wrong key
-#t2_data_1	t2_dsasig	test.	54622	DST_ALG_DSA	!ISC_R_SUCCESS
-# wrong alg
-#t2_data_1	t2_dsasig	test.	23616	DST_ALG_RSAMD5	!ISC_R_SUCCESS
-# wrong data
-t2_data_2	t2_dsasig	test.	23616	DST_ALG_DSA	!ISC_R_SUCCESS
--- a/external/bsd/bind/dist/bin/tests/dst/dst_test.c
+++ b/external/bsd/bind/dist/bin/tests/dst/dst_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: dst_test.c,v 1.4 2013/03/24 18:44:42 christos Exp $	*/
+/*	$NetBSD: dst_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -56,7 +56,7 @@ use(dst_key_t *key, isc_mem_t *mctx) {
 	 */
 	isc_buffer_add(&sigbuf, 1);

-	isc_buffer_init(&databuf, data, strlen(data));
+	isc_buffer_constinit(&databuf, data, strlen(data));
 	isc_buffer_add(&databuf, strlen(data));
 	isc_buffer_usedregion(&databuf, &datareg);

@ -268,7 +268,7 @@ main(void) {

 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&b, "test.", 5);
+	isc_buffer_constinit(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
 	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
@ -280,7 +280,7 @@ main(void) {
 	io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);

-	isc_buffer_init(&b, "dh.", 3);
+	isc_buffer_constinit(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
 	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
--- a/external/bsd/bind/dist/bin/tests/dst/t2_data_1
+++ b/external/bsd/bind/dist/bin/tests/dst/t2_data_1
--- a/external/bsd/bind/dist/bin/tests/dst/t2_data_2
+++ b/external/bsd/bind/dist/bin/tests/dst/t2_data_2
--- a/external/bsd/bind/dist/bin/tests/dst/t2_dsasig
+++ b/external/bsd/bind/dist/bin/tests/dst/t2_dsasig
@ -1,3 +0,0 @@
-0009B55FDB62034326278C9371F32D92
-3D0E1161A32D491BEC38546FC452D903
-A91D806345B2F7F22E
--- a/external/bsd/bind/dist/bin/tests/dst/t2_rsasig
+++ b/external/bsd/bind/dist/bin/tests/dst/t2_rsasig
@ -1,6 +0,0 @@
-A8A20D2F26F792B3CE76DD0E12A85DFE
-FF66AB866EF0BDB0F515001E234E699B
-F5CD6FB41FB15D4213705ABE9B563896
-2196228648E0F8AA7F2F4EED3C19165C
-1B4C70C9D69B93A1F2BE5B2F948CE023
-
--- a/external/bsd/bind/dist/bin/tests/dst/t_dst.c
+++ b/external/bsd/bind/dist/bin/tests/dst/t_dst.c
@ -1,4 +1,4 @@
-/*	$NetBSD: t_dst.c,v 1.5 2012/12/04 23:38:39 spz Exp $	*/
+/*	$NetBSD: t_dst.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@ -63,6 +63,7 @@ cleandir(char *path) {
 	DIR		*dirp;
 	struct dirent	*pe;
 	char		fullname[PATH_MAX + 1];
+	size_t		l;

 	dirp = opendir(path);
 	if (dirp == NULL) {
@ -75,11 +76,16 @@ cleandir(char *path) {
 			continue;
 		if (! strcmp(pe->d_name, ".."))
 			continue;
-		strcpy(fullname, path);
-		strcat(fullname, "/");
-		strcat(fullname, pe->d_name);
-		if (remove(fullname))
-			t_info("remove(%s) failed %d\n", fullname, errno);
+		(void)strlcpy(fullname, path, sizeof(fullname));
+		(void)strlcat(fullname, "/", sizeof(fullname));
+		l = strlcat(fullname, pe->d_name, sizeof(fullname));
+		if (l < sizeof(fullname)) {
+			if (remove(fullname))
+				t_info("remove(%s) failed %d\n", fullname,
+				       errno);
+		} else
+		       t_info("unable to remove '%s/%s': path too long\n",
+			      path, pe->d_name);

 	}
 	(void)closedir(dirp);
@ -100,7 +106,7 @@ use(dst_key_t *key, isc_mem_t *mctx, isc_result_t exp_result, int *nfails) {
 	dst_context_t *ctx = NULL;

 	isc_buffer_init(&sigbuf, sig, sizeof(sig));
-	isc_buffer_init(&databuf, data, strlen(data));
+	isc_buffer_constinit(&databuf, data, strlen(data));
 	isc_buffer_add(&databuf, strlen(data));
 	isc_buffer_usedregion(&databuf, &datareg);

@ -462,7 +468,7 @@ t1(void) {

 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&b, "test.", 5);
+	isc_buffer_constinit(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
 	isc_result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
@ -484,7 +490,7 @@ t1(void) {
 	io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, DST_R_NULLKEY, &nfails, &nprobs);

-	isc_buffer_init(&b, "dh.", 3);
+	isc_buffer_constinit(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
 	isc_result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
@ -614,25 +620,27 @@ sig_fromfile(char *path, isc_buffer_t *iscbuf) {
 	char		*p;
 	char		*buf;

-	rval = stat(path, &sb);
-	if (rval != 0) {
-		t_info("stat %s failed, errno == %d\n", path, errno);
-		return(1);
-	}
-
-	buf = (char *) malloc((sb.st_size + 1) * sizeof(unsigned char));
-	if (buf == NULL) {
-		t_info("malloc failed, errno == %d\n", errno);
-		return(1);
-	}
-
 	fd = open(path, O_RDONLY);
 	if (fd < 0) {
 		t_info("open failed, errno == %d\n", errno);
-		(void) free(buf);
 		return(1);
 	}

+	rval = fstat(fd, &sb);
+	if (rval != 0) {
+		t_info("stat %s failed, errno == %d\n", path, errno);
+		close(fd);
+		return(1);
+	}
+
+	buf = (char *) malloc((sb.st_size + 1) * sizeof(char));
+	if (buf == NULL) {
+		t_info("malloc failed, errno == %d\n", errno);
+		close(fd);
+		return(1);
+	}
+
+
 	len = sb.st_size;
 	p = buf;
 	while (len) {
@ -705,28 +713,29 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	/*
 	 * Read data from file in a form usable by dst_verify.
 	 */
-	rval = stat(datapath, &sb);
-	if (rval != 0) {
-		t_info("t2_sigchk: stat (%s) failed %d\n", datapath, errno);
-		++*nprobs;
-		return;
-	}
-
-	data = (unsigned char *) malloc(sb.st_size * sizeof(char));
-	if (data == NULL) {
-		t_info("t2_sigchk: malloc failed %d\n", errno);
-		++*nprobs;
-		return;
-	}
-
 	fd = open(datapath, O_RDONLY);
 	if (fd < 0) {
 		t_info("t2_sigchk: open failed %d\n", errno);
-		(void) free(data);
 		++*nprobs;
 		return;
 	}

+	rval = fstat(fd, &sb);
+	if (rval != 0) {
+		t_info("t2_sigchk: stat (%s) failed %d\n", datapath, errno);
+		++*nprobs;
+		close(fd);
+		return;
+	}
+
+	data = (unsigned char *) malloc(sb.st_size * sizeof(unsigned char));
+	if (data == NULL) {
+		t_info("t2_sigchk: malloc failed %d\n", errno);
+		++*nprobs;
+		close(fd);
+		return;
+	}
+
 	p = data;
 	len = sb.st_size;
 	do {
@ -743,7 +752,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	 */
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&b, keyname, strlen(keyname));
+	isc_buffer_constinit(&b, keyname, strlen(keyname));
 	isc_buffer_add(&b, strlen(keyname));
 	isc_result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
--- a/external/bsd/bind/dist/bin/tests/fsaccess_test.c
+++ b/external/bsd/bind/dist/bin/tests/fsaccess_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: fsaccess_test.c,v 1.4 2013/03/24 18:44:40 christos Exp $	*/
+/*	$NetBSD: fsaccess_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000, 2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -24,6 +24,8 @@
 #include <config.h>

 #include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>

 #include <sys/types.h>		/* Non-portable. */
 #include <sys/stat.h>		/* Non-portable. */
@ -37,14 +39,29 @@ int
 main(void) {
 	isc_fsaccess_t access;
 	isc_result_t result;
+	FILE *fp;
+	int n;

 	isc__mem_register();
 	isc__task_register();
 	isc__timer_register();
 	isc__socket_register();
-	remove(PATH);
-	fopen(PATH, "w");
-	chmod(PATH, 0);
+
+	n = remove(PATH);
+	if (n != 0 && errno != ENOENT) {
+		fprintf(stderr, "unable to remove(%s)\n", PATH);
+		exit(1);
+	}
+	fp = fopen(PATH, "w");
+	if (fp == NULL) {
+		fprintf(stderr, "unable to fopen(%s)\n", PATH);
+		exit(1);
+	}
+	n = chmod(PATH, 0);
+	if (n != 0) {
+		fprintf(stderr, "unable chmod(%s, 0)\n", PATH);
+		exit(1);
+	}

 	access = 0;

@ -61,6 +78,7 @@ main(void) {
 	result = isc_fsaccess_set(PATH, access);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "result = %s\n", isc_result_totext(result));
+	(void)fclose(fp);

 	return (0);
 }
--- a/external/bsd/bind/dist/bin/tests/names/t_names.c
+++ b/external/bsd/bind/dist/bin/tests/names/t_names.c
@ -1,4 +1,4 @@
-/*	$NetBSD: t_names.c,v 1.5 2012/12/04 23:38:39 spz Exp $	*/
+/*	$NetBSD: t_names.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@ -29,6 +29,7 @@
 #include <isc/string.h>

 #include <dns/compress.h>
+#include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/result.h>

@ -168,7 +169,7 @@ chkdata(unsigned char *buf, size_t buflen, char *exp_data,
 		else {
 			t_info("bad data at position %lu, "
 			       "got 0x%.2x, expected 0x%.2x\n",
-			       (unsigned long)cnt, *p, *q);
+			       (unsigned long)cnt, *p, *v);
 			result = cnt + 1;
 		}
 		(void)free(data);
@ -186,13 +187,14 @@ chkdata(unsigned char *buf, size_t buflen, char *exp_data,
 * setup the buffer and return the data length.
 */
 static int
-getmsg(char *datafile_name, unsigned char *buf, int buflen, isc_buffer_t *pbuf)
+getmsg(char *datafile_name, isc_buffer_t *pbuf)
 {
 	int			c;
-	int			len;
-	int			cnt;
+	unsigned int		len;
+	unsigned int		cnt;
 	unsigned char		*p;
 	FILE			*fp;
+	unsigned int		buflen;

 	fp = fopen(datafile_name, "r");
 	if (fp == NULL) {
@ -200,7 +202,8 @@ getmsg(char *datafile_name, unsigned char *buf, int buflen, isc_buffer_t *pbuf)
 		return (0);
 	}

-	p = buf;
+	p = isc_buffer_used(pbuf);
+	buflen = isc_buffer_availablelength(pbuf);
 	cnt = 0;
 	len = 0;
 	while ((c = getc(fp)) != EOF) {
@ -249,7 +252,6 @@ getmsg(char *datafile_name, unsigned char *buf, int buflen, isc_buffer_t *pbuf)
 	}

 	*p = '\0';
-	isc_buffer_init(pbuf, buf, cnt);
 	isc_buffer_add(pbuf, cnt);
 	return (cnt);
 }
@ -332,40 +334,6 @@ hname_to_tname(char *src, char *target, size_t len) {

 #endif	/* NEED_HNAME_TO_TNAME */

-/*%
- * initialize a dns_name_t from a text name, hiding all
- * buffer and other object initialization from the caller
- *
- */
-
-static isc_result_t
-dname_from_tname(char *name, dns_name_t *dns_name) {
-	int		len;
-	isc_buffer_t	txtbuf;
-	isc_buffer_t	*binbuf;
-	unsigned char	*junk;
-	isc_result_t	result;
-
-	len = strlen(name);
-	isc_buffer_init(&txtbuf, name, len);
-	isc_buffer_add(&txtbuf, len);
-	junk = (unsigned char *)malloc(sizeof(unsigned char) * BUFLEN);
-	binbuf = (isc_buffer_t *)malloc(sizeof(isc_buffer_t));
-	if ((junk != NULL) && (binbuf != NULL)) {
-		isc_buffer_init(binbuf, junk, BUFLEN);
-		dns_name_init(dns_name, NULL);
-		dns_name_setbuffer(dns_name, binbuf);
-		result = dns_name_fromtext(dns_name,  &txtbuf, NULL, 0, NULL);
-	} else {
-		result = ISC_R_NOSPACE;
-		if (junk != NULL)
-			(void)free(junk);
-		if (binbuf != NULL)
-			(void)free(binbuf);
-	}
-	return (result);
-}
-
 static const char *a3 =	"dns_name_init initializes 'name' to the empty name";

 static void
@ -626,8 +594,10 @@ test_dns_name_hash(char *test_name1, char *test_name2,
 	isc_boolean_t	match;
 	unsigned int	hash1;
 	unsigned int	hash2;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t	fixed1;
+	dns_fixedname_t	fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;
 	isc_result_t	result;

 	rval = T_UNRESOLVED;
@ -635,12 +605,17 @@ test_dns_name_hash(char *test_name1, char *test_name2,

 	t_info("testing names %s and %s\n", test_name1, test_name2);

-	result = dname_from_tname(test_name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	result = dns_name_fromstring2(dns_name1, test_name1, NULL, 0, NULL);
 	if (result == ISC_R_SUCCESS) {
-		result = dname_from_tname(test_name2, &dns_name2);
+		result = dns_name_fromstring2(dns_name2, test_name2, NULL,
+					      0, NULL);
 		if (result == ISC_R_SUCCESS) {
-			hash1 = dns_name_hash(&dns_name1, ISC_TRUE);
-			hash2 = dns_name_hash(&dns_name2, ISC_TRUE);
+			hash1 = dns_name_hash(dns_name1, ISC_TRUE);
+			hash2 = dns_name_hash(dns_name2, ISC_TRUE);
 			match = ISC_FALSE;
 			if (hash1 == hash2)
 				match = ISC_TRUE;
@ -648,8 +623,8 @@ test_dns_name_hash(char *test_name1, char *test_name2,
 				++failures;
 				t_info("hash mismatch when ISC_TRUE\n");
 			}
-			hash1 = dns_name_hash(&dns_name1, ISC_FALSE);
-			hash2 = dns_name_hash(&dns_name2, ISC_FALSE);
+			hash1 = dns_name_hash(dns_name1, ISC_FALSE);
+			hash2 = dns_name_hash(dns_name2, ISC_FALSE);
 			match = ISC_FALSE;
 			if (hash1 == hash2)
 				match = ISC_TRUE;
@ -662,11 +637,11 @@ test_dns_name_hash(char *test_name1, char *test_name2,
 			else
 				rval = T_FAIL;
 		} else {
-			t_info("dns_fromtext %s failed, result = %s\n",
+			t_info("dns_name_fromstring2 %s failed, result = %s\n",
 				test_name2, dns_result_totext(result));
 		}
 	} else {
-		t_info("dns_fromtext %s failed, result = %s\n",
+		t_info("dns_name_fromstring2 %s failed, result = %s\n",
 				test_name1, dns_result_totext(result));
 	}
 	return (rval);
@ -768,8 +743,10 @@ test_dns_name_fullcompare(char *name1, char *name2,
 	int		nfails;
 	int		order;
 	unsigned int	nlabels;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;
 	isc_result_t	dns_result;
 	dns_namereln_t	dns_reln;

@ -780,11 +757,16 @@ test_dns_name_fullcompare(char *name1, char *name2,
 	t_info("testing names %s and %s for relation %s\n", name1, name2,
 	       dns_namereln_to_text(exp_dns_reln));

-	dns_result = dname_from_tname(name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, name1, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
-			dns_reln = dns_name_fullcompare(&dns_name1, &dns_name2,
+			dns_reln = dns_name_fullcompare(dns_name1, dns_name2,
 					&order, &nlabels);

 			if (dns_reln != exp_dns_reln) {
@ -816,11 +798,11 @@ test_dns_name_fullcompare(char *name1, char *name2,
 			else
 				result = T_FAIL;
 		} else {
-			t_info("dname_from_tname failed, result == %s\n",
+			t_info("dns_name_fromstring2 failed, result == %s\n",
 			       dns_result_totext(result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 		       dns_result_totext(result));
 	}

@ -909,8 +891,10 @@ test_dns_name_compare(char *name1, char *name2, int exp_order) {
 	int		result;
 	int		order;
 	isc_result_t	dns_result;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;

 	result = T_UNRESOLVED;

@ -918,11 +902,16 @@ test_dns_name_compare(char *name1, char *name2, int exp_order) {
 	       exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"),
 	       name2);

-	dns_result = dname_from_tname(name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, name1, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
-			order = dns_name_compare(&dns_name1, &dns_name2);
+			order = dns_name_compare(dns_name1, dns_name2);
 			/*
 			 * Normalize order.
 			 */
@ -937,11 +926,11 @@ test_dns_name_compare(char *name1, char *name2, int exp_order) {
 			} else
 				result = T_PASS;
 		} else {
-			t_info("dname_from_tname failed, result == %s\n",
+			t_info("dns_name_fromstring2 failed, result == %s\n",
 					dns_result_totext(result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 				dns_result_totext(result));
 	}

@ -1012,19 +1001,26 @@ test_dns_name_rdatacompare(char *name1, char *name2, int exp_order) {
 	int		result;
 	int		order;
 	isc_result_t	dns_result;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;

 	result = T_UNRESOLVED;

 	t_info("testing %s %s %s\n", name1,
 	       exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"), name2);

-	dns_result = dname_from_tname(name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, name1, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
-			order = dns_name_rdatacompare(&dns_name1, &dns_name2);
+			order = dns_name_rdatacompare(dns_name1, dns_name2);
 			/*
 			 * Normalize order.
 			 */
@ -1039,11 +1035,11 @@ test_dns_name_rdatacompare(char *name1, char *name2, int exp_order) {
 			} else
 				result = T_PASS;
 		} else {
-			t_info("dname_from_tname failed, result == %s\n",
+			t_info("dns_name_fromstring2 failed, result == %s\n",
 			       dns_result_totext(result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 		       dns_result_totext(result));
 	}

@ -1115,19 +1111,26 @@ test_dns_name_issubdomain(char *name1, char *name2, isc_boolean_t exp_rval) {
 	int		result;
 	isc_boolean_t	rval;
 	isc_result_t	dns_result;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;

 	result = T_UNRESOLVED;

 	t_info("testing %s %s a subdomain of %s\n", name1,
 	       exp_rval == 0 ? "is not" : "is", name2);

-	dns_result = dname_from_tname(name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, name1, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
-			rval = dns_name_issubdomain(&dns_name1, &dns_name2);
+			rval = dns_name_issubdomain(dns_name1, dns_name2);

 			if (rval != exp_rval) {
 				t_info("expected return value of %s, got %s\n",
@ -1137,11 +1140,11 @@ test_dns_name_issubdomain(char *name1, char *name2, isc_boolean_t exp_rval) {
 			} else
 				result = T_PASS;
 		} else {
-			t_info("dname_from_tname failed, result == %s\n",
+			t_info("dns_name_fromstring2 failed, result == %s\n",
 			       dns_result_totext(result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 		       dns_result_totext(result));
 	}

@ -1208,15 +1211,18 @@ test_dns_name_countlabels(char *test_name, unsigned int exp_nlabels) {
 	int		result;
 	unsigned int	nlabels;
 	isc_result_t	dns_result;
-	dns_name_t	dns_name;
+	dns_fixedname_t	fixed;
+	dns_name_t	*dns_name;

 	result = T_UNRESOLVED;

 	t_info("testing %s\n", test_name);

-	dns_result = dname_from_tname(test_name, &dns_name);
+	dns_fixedname_init(&fixed);
+	dns_name = dns_fixedname_name(&fixed);
+	dns_result = dns_name_fromstring2(dns_name, test_name, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		nlabels = dns_name_countlabels(&dns_name);
+		nlabels = dns_name_countlabels(dns_name);

 		if (nlabels != exp_nlabels) {
 			t_info("expected %d, got %d\n", exp_nlabels, nlabels);
@ -1224,7 +1230,7 @@ test_dns_name_countlabels(char *test_name, unsigned int exp_nlabels) {
 		} else
 			result = T_PASS;
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 		       dns_result_totext(dns_result));
 	}

@ -1298,8 +1304,10 @@ test_dns_name_getlabel(char *test_name1, int label1_pos, char *test_name2,
 	unsigned int	cnt;
 	unsigned char	*p;
 	unsigned char	*q;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;
 	dns_label_t	dns_label1;
 	dns_label_t	dns_label2;
 	isc_result_t	dns_result;
@ -1309,12 +1317,18 @@ test_dns_name_getlabel(char *test_name1, int label1_pos, char *test_name2,

 	t_info("testing with %s and %s\n", test_name1, test_name2);

-	dns_result = dname_from_tname(test_name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, test_name1, NULL,
+					  0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(test_name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, test_name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
-			dns_name_getlabel(&dns_name1, label1_pos, &dns_label1);
-			dns_name_getlabel(&dns_name2, label2_pos, &dns_label2);
+			dns_name_getlabel(dns_name1, label1_pos, &dns_label1);
+			dns_name_getlabel(dns_name2, label2_pos, &dns_label2);
 			if (dns_label1.length != dns_label2.length) {
 				t_info("label lengths differ\n");
 				++nfails;
@ -1333,11 +1347,11 @@ test_dns_name_getlabel(char *test_name1, int label1_pos, char *test_name2,
 			else
 				result = T_FAIL;
 		} else {
-			t_info("dname_from_tname failed, result == %s",
+			t_info("dns_name_fromstring2 failed, result == %s",
 			       dns_result_totext(result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s",
+		t_info("dns_name_fromstring2 failed, result == %s",
 		       dns_result_totext(result));
 	}
 	return (result);
@ -1411,8 +1425,10 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,
 	unsigned int	cnt;
 	unsigned char	*p;
 	unsigned char	*q;
-	dns_name_t	dns_name1;
-	dns_name_t	dns_name2;
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t	*dns_name1;
+	dns_name_t	*dns_name2;
 	dns_name_t	dns_targetname1;
 	dns_name_t	dns_targetname2;
 	isc_result_t	dns_result;
@ -1423,16 +1439,22 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,

 	nfails = 0;
 	result = T_UNRESOLVED;
-	dns_result = dname_from_tname(test_name1, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_fixedname_init(&fixed2);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_name2 = dns_fixedname_name(&fixed2);
+	dns_result = dns_name_fromstring2(dns_name1, test_name1, NULL,
+					  0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {
-		dns_result = dname_from_tname(test_name2, &dns_name2);
+		dns_result = dns_name_fromstring2(dns_name2, test_name2, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
 			t_info("testing %s %s\n", test_name1, test_name2);
 			dns_name_init(&dns_targetname1, NULL);
 			dns_name_init(&dns_targetname2, NULL);
-			dns_name_getlabelsequence(&dns_name1, label1_start,
+			dns_name_getlabelsequence(dns_name1, label1_start,
 						  range, &dns_targetname1);
-			dns_name_getlabelsequence(&dns_name2, label2_start,
+			dns_name_getlabelsequence(dns_name2, label2_start,
 						  range, &dns_targetname2);

 			/*
@ -1463,11 +1485,11 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,
 			else
 				result = T_FAIL;
 		} else {
-			t_info("dname_from_tname failed, result == %s",
+			t_info("dns_name_fromstring2 failed, result == %s",
 			       dns_result_totext(dns_result));
 		}
 	} else {
-		t_info("dname_from_tname failed, result == %s",
+		t_info("dns_name_fromstring2 failed, result == %s",
 		       dns_result_totext(dns_result));
 	}
 	return (result);
@ -1534,7 +1556,8 @@ test_dns_name_fromregion(char *test_name) {
 	int		order;
 	unsigned int	nlabels;
 	isc_result_t	dns_result;
-	dns_name_t	dns_name1;
+	dns_fixedname_t fixed1;
+	dns_name_t	*dns_name1;
 	dns_name_t	dns_name2;
 	dns_namereln_t	dns_namereln;
 	isc_region_t	region;
@ -1543,21 +1566,23 @@ test_dns_name_fromregion(char *test_name) {

 	t_info("testing %s\n", test_name);

-	dns_result = dname_from_tname(test_name, &dns_name1);
+	dns_fixedname_init(&fixed1);
+	dns_name1 = dns_fixedname_name(&fixed1);
+	dns_result = dns_name_fromstring2(dns_name1, test_name, NULL, 0, NULL);
 	if (dns_result == ISC_R_SUCCESS) {

-		dns_name_toregion(&dns_name1, &region);
+		dns_name_toregion(dns_name1, &region);

 		dns_name_init(&dns_name2, NULL);
 		dns_name_fromregion(&dns_name2, &region);
-		dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2,
+		dns_namereln = dns_name_fullcompare(dns_name1, &dns_name2,
 						    &order, &nlabels);
 		if (dns_namereln == dns_namereln_equal)
 			result = T_PASS;
 		else
 			result = T_FAIL;
 	} else {
-		t_info("dname_from_tname failed, result == %s\n",
+		t_info("dns_name_fromstring2 failed, result == %s\n",
 		       dns_result_totext(result));
 	}
 	return (result);
@ -1984,14 +2009,18 @@ test_dns_name_fromwire(char *datafile_name, int testname_offset, int downcase,
 	char			buf2[BUFLEN];
 	isc_buffer_t		iscbuf1;
 	isc_buffer_t		iscbuf2;
+	dns_fixedname_t		fixed2;
 	dns_name_t		dns_name1;
-	dns_name_t		dns_name2;
+	dns_name_t		*dns_name2;
 	isc_result_t		dns_result;
 	dns_namereln_t		dns_namereln;
 	dns_decompress_t	dctx;

 	t_info("testing using %s\n", datafile_name);
-	len = getmsg(datafile_name, buf1, BIGBUFLEN, &iscbuf1);
+	isc_buffer_init(&iscbuf1, buf1, sizeof(buf1));
+	len = getmsg(datafile_name, &iscbuf1);
+	if (len == 0)
+		return (T_FAIL);

 	isc_buffer_setactive(&iscbuf1, len);
 	iscbuf1.current = testname_offset;
@ -2006,10 +2035,13 @@ test_dns_name_fromwire(char *datafile_name, int testname_offset, int downcase,

 	if ((dns_result == exp_result) && (exp_result == ISC_R_SUCCESS)) {

-		dns_result = dname_from_tname(exp_name, &dns_name2);
+		dns_fixedname_init(&fixed2);
+		dns_name2 = dns_fixedname_name(&fixed2);
+		dns_result = dns_name_fromstring2(dns_name2, exp_name, NULL,
+						  0, NULL);
 		if (dns_result == ISC_R_SUCCESS) {
 			dns_namereln = dns_name_fullcompare(&dns_name1,
-							    &dns_name2,
+							    dns_name2,
 							    &order, &nlabels);
 			if (dns_namereln != dns_namereln_equal) {
 				t_info("dns_name_fullcompare  returned %s\n",
@ -2164,7 +2196,8 @@ static const char *a52 =

 static int
 test_dns_name_towire(char *testname, unsigned int dc_method, char *exp_data,
-		     int exp_data_len, isc_result_t exp_result, size_t buflen)
+		     size_t exp_data_len, isc_result_t exp_result,
+		     size_t buflen)
 {
 	int			result;
 	int			val;
@ -2233,6 +2266,7 @@ t_dns_name_towire_x(const char *testfile, size_t buflen) {
 	int		result;
 	unsigned int	dc_method;
 	isc_result_t	exp_result;
+	size_t		exp_data_len;
 	char		*p;
 	FILE		*fp;

@ -2262,11 +2296,12 @@ t_dns_name_towire_x(const char *testfile, size_t buflen) {

 				dc_method = t_dc_method_fromtext(Tokens[3]);
 				exp_result = t_dns_result_fromtext(Tokens[4]);
+				exp_data_len = strtoul(Tokens[3], NULL, 10);

 				result = test_dns_name_towire(Tokens[0],
 							      dc_method,
 							      Tokens[2],
-							      atoi(Tokens[3]),
+							      exp_data_len,
 							      exp_result,
 							      buflen);
 			} else {
--- a/external/bsd/bind/dist/bin/tests/rbt/t_rbt.c
+++ b/external/bsd/bind/dist/bin/tests/rbt/t_rbt.c
@ -1,7 +1,7 @@
-/*	$NetBSD: t_rbt.c,v 1.4 2012/06/05 00:39:32 christos Exp $	*/
+/*	$NetBSD: t_rbt.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -1058,6 +1058,12 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 	dns_fixedname_t		dns_origin;
 	isc_result_t		expected_result;

+	REQUIRE(dbfile != NULL);
+	REQUIRE(expected_firstname != NULL);
+	REQUIRE(expected_firstorigin != NULL);
+	REQUIRE(expected_nextname != NULL);
+	REQUIRE(expected_nextorigin != NULL);
+
 	result = T_UNRESOLVED;

 	nfails = 0;
@ -1249,6 +1255,12 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 	dns_fixedname_t		dns_origin;
 	isc_result_t		expected_result;

+	REQUIRE(dbfile != NULL);
+	REQUIRE(expected_lastname != NULL);
+	REQUIRE(expected_lastorigin != NULL);
+	REQUIRE(expected_prevname != NULL);
+	REQUIRE(expected_prevorigin != NULL);
+
 	result = T_UNRESOLVED;

 	nfails = 0;
--- a/external/bsd/bind/dist/bin/tests/rdata_test.c
+++ b/external/bsd/bind/dist/bin/tests/rdata_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: rdata_test.c,v 1.5 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: rdata_test.c,v 1.6 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -57,19 +57,19 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,

 	switch (rdata->type) {
 	case dns_rdatatype_a6: {
-		dns_rdata_in_a6_t in_a6;
+		static dns_rdata_in_a6_t in_a6;
 		result = dns_rdata_tostruct(rdata, sp = &in_a6, NULL);
 		break;
 	}
 	case dns_rdatatype_a: {
 		switch (rdata->rdclass) {
 		case dns_rdataclass_hs: {
-			dns_rdata_hs_a_t hs_a;
+			static dns_rdata_hs_a_t hs_a;
 			result = dns_rdata_tostruct(rdata, sp = &hs_a, NULL);
 			break;
 		}
 		case dns_rdataclass_in: {
-			dns_rdata_in_a_t in_a;
+			static dns_rdata_in_a_t in_a;
 			result = dns_rdata_tostruct(rdata, sp = &in_a, NULL);
 			break;
 		}
@ -80,12 +80,12 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	case dns_rdatatype_aaaa: {
-		dns_rdata_in_aaaa_t in_aaaa;
+		static dns_rdata_in_aaaa_t in_aaaa;
 		result = dns_rdata_tostruct(rdata, sp = &in_aaaa, NULL);
 		break;
 	}
 	case dns_rdatatype_afsdb: {
-		dns_rdata_afsdb_t afsdb;
+		static dns_rdata_afsdb_t afsdb;
 		result = dns_rdata_tostruct(rdata, sp = &afsdb, NULL);
 		break;
 	}
@ -96,7 +96,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 	case dns_rdatatype_apl: {
 		switch (rdata->rdclass) {
 		case dns_rdataclass_in: {
-			dns_rdata_in_apl_t in_apl;
+			static dns_rdata_in_apl_t in_apl;
 			result = dns_rdata_tostruct(rdata, sp = &in_apl, NULL);
 			break;
 		}
@ -107,207 +107,207 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	case dns_rdatatype_cert: {
-		dns_rdata_cert_t cert;
+		static dns_rdata_cert_t cert;
 		result = dns_rdata_tostruct(rdata, sp = &cert, NULL);
 		break;
 	}
 	case dns_rdatatype_cname: {
-		dns_rdata_cname_t cname;
+		static dns_rdata_cname_t cname;
 		result = dns_rdata_tostruct(rdata, sp = &cname, NULL);
 		break;
 	}
 	case dns_rdatatype_dname: {
-		dns_rdata_dname_t dname;
+		static dns_rdata_dname_t dname;
 		result = dns_rdata_tostruct(rdata, sp = &dname, NULL);
 		break;
 	}
 	case dns_rdatatype_gpos: {
-		dns_rdata_gpos_t gpos;
+		static dns_rdata_gpos_t gpos;
 		result = dns_rdata_tostruct(rdata, sp = &gpos, NULL);
 		break;
 	}
 	case dns_rdatatype_hinfo: {
-		dns_rdata_hinfo_t hinfo;
+		static dns_rdata_hinfo_t hinfo;
 		result = dns_rdata_tostruct(rdata, sp = &hinfo, NULL);
 		break;
 	}
 	case dns_rdatatype_isdn: {
-		dns_rdata_isdn_t isdn;
+		static dns_rdata_isdn_t isdn;
 		result = dns_rdata_tostruct(rdata, sp = &isdn, NULL);
 		break;
 	}
 	case dns_rdatatype_key: {
-		dns_rdata_key_t key;
+		static dns_rdata_key_t key;
 		result = dns_rdata_tostruct(rdata, sp = &key, NULL);
 		break;
 	}
 	case dns_rdatatype_kx: {
-		dns_rdata_in_kx_t in_kx;
+		static dns_rdata_in_kx_t in_kx;
 		result = dns_rdata_tostruct(rdata, sp = &in_kx, NULL);
 		break;
 	}
 	case dns_rdatatype_loc: {
-		dns_rdata_loc_t loc;
+		static dns_rdata_loc_t loc;
 		result = dns_rdata_tostruct(rdata, sp = &loc, NULL);
 		break;
 	}
 	case dns_rdatatype_mb: {
-		dns_rdata_mb_t mb;
+		static dns_rdata_mb_t mb;
 		result = dns_rdata_tostruct(rdata, sp = &mb, NULL);
 		break;
 	}
 	case dns_rdatatype_md: {
-		dns_rdata_md_t md;
+		static dns_rdata_md_t md;
 		result = dns_rdata_tostruct(rdata, sp = &md, NULL);
 		break;
 	}
 	case dns_rdatatype_mf: {
-		dns_rdata_mf_t mf;
+		static dns_rdata_mf_t mf;
 		result = dns_rdata_tostruct(rdata, sp = &mf, NULL);
 		break;
 	}
 	case dns_rdatatype_mg: {
-		dns_rdata_mg_t mg;
+		static dns_rdata_mg_t mg;
 		result = dns_rdata_tostruct(rdata, sp = &mg, NULL);
 		break;
 	}
 	case dns_rdatatype_minfo: {
-		dns_rdata_minfo_t minfo;
+		static dns_rdata_minfo_t minfo;
 		result = dns_rdata_tostruct(rdata, sp = &minfo, NULL);
 		break;
 	}
 	case dns_rdatatype_mr: {
-		dns_rdata_mr_t mr;
+		static dns_rdata_mr_t mr;
 		result = dns_rdata_tostruct(rdata, sp = &mr, NULL);
 		break;
 	}
 	case dns_rdatatype_mx: {
-		dns_rdata_mx_t mx;
+		static dns_rdata_mx_t mx;
 		result = dns_rdata_tostruct(rdata, sp = &mx, NULL);
 		break;
 	}
 	case dns_rdatatype_naptr: {
-		dns_rdata_naptr_t naptr;
+		static dns_rdata_naptr_t naptr;
 		result = dns_rdata_tostruct(rdata, sp = &naptr, NULL);
 		break;
 	}
 	case dns_rdatatype_ns: {
-		dns_rdata_ns_t ns;
+		static dns_rdata_ns_t ns;
 		result = dns_rdata_tostruct(rdata, sp = &ns, NULL);
 		break;
 	}
 	case dns_rdatatype_nsap: {
-		dns_rdata_in_nsap_t in_nsap;
+		static dns_rdata_in_nsap_t in_nsap;
 		result = dns_rdata_tostruct(rdata, sp = &in_nsap, NULL);
 		break;
 	}
 	case dns_rdatatype_nsap_ptr: {
-		dns_rdata_in_nsap_ptr_t in_nsap_ptr;
+		static dns_rdata_in_nsap_ptr_t in_nsap_ptr;
 		result = dns_rdata_tostruct(rdata, sp = &in_nsap_ptr, NULL);
 		break;
 	}
 	case dns_rdatatype_null: {
-		dns_rdata_null_t null;
+		static dns_rdata_null_t null;
 		result = dns_rdata_tostruct(rdata, sp = &null, NULL);
 		break;
 	}
 	case dns_rdatatype_nxt: {
-		dns_rdata_nxt_t nxt;
+		static dns_rdata_nxt_t nxt;
 		result = dns_rdata_tostruct(rdata, sp = &nxt, NULL);
 		break;
 	}
 	case dns_rdatatype_opt: {
-		dns_rdata_opt_t opt;
+		static dns_rdata_opt_t opt;
 		result = dns_rdata_tostruct(rdata, sp = &opt, NULL);
 		break;
 	}
 	case dns_rdatatype_ptr: {
-		dns_rdata_ptr_t ptr;
+		static dns_rdata_ptr_t ptr;
 		result = dns_rdata_tostruct(rdata, sp = &ptr, NULL);
 		break;
 	}
 	case dns_rdatatype_px: {
-		dns_rdata_in_px_t in_px;
+		static dns_rdata_in_px_t in_px;
 		result = dns_rdata_tostruct(rdata, sp = &in_px, NULL);
 		break;
 	}
 	case dns_rdatatype_rp: {
-		dns_rdata_rp_t rp;
+		static dns_rdata_rp_t rp;
 		result = dns_rdata_tostruct(rdata, sp = &rp, NULL);
 		break;
 	}
 	case dns_rdatatype_rt: {
-		dns_rdata_rt_t rt;
+		static dns_rdata_rt_t rt;
 		result = dns_rdata_tostruct(rdata, sp = &rt, NULL);
 		break;
 	}
 	case dns_rdatatype_sig: {
-		dns_rdata_sig_t sig;
+		static dns_rdata_sig_t sig;
 		result = dns_rdata_tostruct(rdata, sp = &sig, NULL);
 		break;
 	}
 	case dns_rdatatype_soa: {
-		dns_rdata_soa_t soa;
+		static dns_rdata_soa_t soa;
 		result = dns_rdata_tostruct(rdata, sp = &soa, NULL);
 		break;
 	}
 	case dns_rdatatype_srv: {
-		dns_rdata_in_srv_t in_srv;
+		static dns_rdata_in_srv_t in_srv;
 		result = dns_rdata_tostruct(rdata, sp = &in_srv, NULL);
 		break;
 	}
 	case dns_rdatatype_tkey: {
-		dns_rdata_tkey_t tkey;
+		static dns_rdata_tkey_t tkey;
 		result = dns_rdata_tostruct(rdata, sp = &tkey, NULL);
 		break;
 	}
 	case dns_rdatatype_tsig: {
-		dns_rdata_any_tsig_t tsig;
+		static dns_rdata_any_tsig_t tsig;
 		result = dns_rdata_tostruct(rdata, sp = &tsig, NULL);
 		break;
 	}
 	case dns_rdatatype_txt: {
-		dns_rdata_txt_t txt;
+		static dns_rdata_txt_t txt;
 		result = dns_rdata_tostruct(rdata, sp = &txt, NULL);
 		break;
 	}
 	case dns_rdatatype_spf: {
-		dns_rdata_spf_t spf;
+		static dns_rdata_spf_t spf;
 		result = dns_rdata_tostruct(rdata, sp = &spf, NULL);
 		break;
 	}
 	case dns_rdatatype_unspec: {
-		dns_rdata_unspec_t unspec;
+		static dns_rdata_unspec_t unspec;
 		result = dns_rdata_tostruct(rdata, sp = &unspec, NULL);
 		break;
 	}
 	case dns_rdatatype_uri: {
-		dns_rdata_uri_t uri;
+		static dns_rdata_uri_t uri;
 		result = dns_rdata_tostruct(rdata, sp = &uri, NULL);
 		break;
 	}
 	case dns_rdatatype_wks: {
-		dns_rdata_in_wks_t in_wks;
+		static dns_rdata_in_wks_t in_wks;
 		result = dns_rdata_tostruct(rdata, sp = &in_wks, NULL);
 		break;
 	}
 	case dns_rdatatype_x25: {
-		dns_rdata_x25_t x25;
+		static dns_rdata_x25_t x25;
 		result = dns_rdata_tostruct(rdata, sp = &x25, NULL);
 		break;
 	}
 	case dns_rdatatype_nsec: {
-		dns_rdata_nsec_t nsec;
+		static dns_rdata_nsec_t nsec;
 		result = dns_rdata_tostruct(rdata, sp = &nsec, NULL);
 		break;
 	}
 	case dns_rdatatype_rrsig: {
-		dns_rdata_rrsig_t rrsig;
+		static dns_rdata_rrsig_t rrsig;
 		result = dns_rdata_tostruct(rdata, sp = &rrsig, NULL);
 		break;
 	}
 	case dns_rdatatype_dnskey: {
-		dns_rdata_dnskey_t dnskey;
+		static dns_rdata_dnskey_t dnskey;
 		result = dns_rdata_tostruct(rdata, sp = &dnskey, NULL);
 		break;
 	}
@ -324,19 +324,19 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,

 	switch (rdata->type) {
 	case dns_rdatatype_a6: {
-		dns_rdata_in_a6_t in_a6;
+		static dns_rdata_in_a6_t in_a6;
 		result = dns_rdata_tostruct(rdata, sp = &in_a6, mctx);
 		break;
 	}
 	case dns_rdatatype_a: {
 		switch (rdata->rdclass) {
 		case dns_rdataclass_hs: {
-			dns_rdata_hs_a_t hs_a;
+			static dns_rdata_hs_a_t hs_a;
 			result = dns_rdata_tostruct(rdata, sp = &hs_a, mctx);
 			break;
 		}
 		case dns_rdataclass_in: {
-			dns_rdata_in_a_t in_a;
+			static dns_rdata_in_a_t in_a;
 			result = dns_rdata_tostruct(rdata, sp = &in_a, mctx);
 			break;
 		}
@ -347,12 +347,12 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	case dns_rdatatype_aaaa: {
-		dns_rdata_in_aaaa_t in_aaaa;
+		static dns_rdata_in_aaaa_t in_aaaa;
 		result = dns_rdata_tostruct(rdata, sp = &in_aaaa, mctx);
 		break;
 	}
 	case dns_rdatatype_afsdb: {
-		dns_rdata_afsdb_t afsdb;
+		static dns_rdata_afsdb_t afsdb;
 		result = dns_rdata_tostruct(rdata, sp = &afsdb, mctx);
 		break;
 	}
@ -363,7 +363,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 	case dns_rdatatype_apl: {
 		switch (rdata->rdclass) {
 		case dns_rdataclass_in: {
-			dns_rdata_in_apl_t in_apl;
+			static dns_rdata_in_apl_t in_apl;
 			result = dns_rdata_tostruct(rdata, sp = &in_apl, mctx);
 			break;
 		}
@ -374,207 +374,207 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	case dns_rdatatype_cert: {
-		dns_rdata_cert_t cert;
+		static dns_rdata_cert_t cert;
 		result = dns_rdata_tostruct(rdata, sp = &cert, mctx);
 		break;
 	}
 	case dns_rdatatype_cname: {
-		dns_rdata_cname_t cname;
+		static dns_rdata_cname_t cname;
 		result = dns_rdata_tostruct(rdata, sp = &cname, mctx);
 		break;
 	}
 	case dns_rdatatype_dname: {
-		dns_rdata_dname_t dname;
+		static dns_rdata_dname_t dname;
 		result = dns_rdata_tostruct(rdata, sp = &dname, mctx);
 		break;
 	}
 	case dns_rdatatype_gpos: {
-		dns_rdata_gpos_t gpos;
+		static dns_rdata_gpos_t gpos;
 		result = dns_rdata_tostruct(rdata, sp = &gpos, mctx);
 		break;
 	}
 	case dns_rdatatype_hinfo: {
-		dns_rdata_hinfo_t hinfo;
+		static dns_rdata_hinfo_t hinfo;
 		result = dns_rdata_tostruct(rdata, sp = &hinfo, mctx);
 		break;
 	}
 	case dns_rdatatype_isdn: {
-		dns_rdata_isdn_t isdn;
+		static dns_rdata_isdn_t isdn;
 		result = dns_rdata_tostruct(rdata, sp = &isdn, mctx);
 		break;
 	}
 	case dns_rdatatype_key: {
-		dns_rdata_key_t key;
+		static dns_rdata_key_t key;
 		result = dns_rdata_tostruct(rdata, sp = &key, mctx);
 		break;
 	}
 	case dns_rdatatype_kx: {
-		dns_rdata_in_kx_t in_kx;
+		static dns_rdata_in_kx_t in_kx;
 		result = dns_rdata_tostruct(rdata, sp = &in_kx, mctx);
 		break;
 	}
 	case dns_rdatatype_loc: {
-		dns_rdata_loc_t loc;
+		static dns_rdata_loc_t loc;
 		result = dns_rdata_tostruct(rdata, sp = &loc, mctx);
 		break;
 	}
 	case dns_rdatatype_mb: {
-		dns_rdata_mb_t mb;
+		static dns_rdata_mb_t mb;
 		result = dns_rdata_tostruct(rdata, sp = &mb, mctx);
 		break;
 	}
 	case dns_rdatatype_md: {
-		dns_rdata_md_t md;
+		static dns_rdata_md_t md;
 		result = dns_rdata_tostruct(rdata, sp = &md, mctx);
 		break;
 	}
 	case dns_rdatatype_mf: {
-		dns_rdata_mf_t mf;
+		static dns_rdata_mf_t mf;
 		result = dns_rdata_tostruct(rdata, sp = &mf, mctx);
 		break;
 	}
 	case dns_rdatatype_mg: {
-		dns_rdata_mg_t mg;
+		static dns_rdata_mg_t mg;
 		result = dns_rdata_tostruct(rdata, sp = &mg, mctx);
 		break;
 	}
 	case dns_rdatatype_minfo: {
-		dns_rdata_minfo_t minfo;
+		static dns_rdata_minfo_t minfo;
 		result = dns_rdata_tostruct(rdata, sp = &minfo, mctx);
 		break;
 	}
 	case dns_rdatatype_mr: {
-		dns_rdata_mr_t mr;
+		static dns_rdata_mr_t mr;
 		result = dns_rdata_tostruct(rdata, sp = &mr, mctx);
 		break;
 	}
 	case dns_rdatatype_mx: {
-		dns_rdata_mx_t mx;
+		static dns_rdata_mx_t mx;
 		result = dns_rdata_tostruct(rdata, sp = &mx, mctx);
 		break;
 	}
 	case dns_rdatatype_naptr: {
-		dns_rdata_naptr_t naptr;
+		static dns_rdata_naptr_t naptr;
 		result = dns_rdata_tostruct(rdata, sp = &naptr, mctx);
 		break;
 	}
 	case dns_rdatatype_ns: {
-		dns_rdata_ns_t ns;
+		static dns_rdata_ns_t ns;
 		result = dns_rdata_tostruct(rdata, sp = &ns, mctx);
 		break;
 	}
 	case dns_rdatatype_nsap: {
-		dns_rdata_in_nsap_t in_nsap;
+		static dns_rdata_in_nsap_t in_nsap;
 		result = dns_rdata_tostruct(rdata, sp = &in_nsap, mctx);
 		break;
 	}
 	case dns_rdatatype_nsap_ptr: {
-		dns_rdata_in_nsap_ptr_t in_nsap_ptr;
+		static dns_rdata_in_nsap_ptr_t in_nsap_ptr;
 		result = dns_rdata_tostruct(rdata, sp = &in_nsap_ptr, mctx);
 		break;
 	}
 	case dns_rdatatype_null: {
-		dns_rdata_null_t null;
+		static dns_rdata_null_t null;
 		result = dns_rdata_tostruct(rdata, sp = &null, mctx);
 		break;
 	}
 	case dns_rdatatype_nxt: {
-		dns_rdata_nxt_t nxt;
+		static dns_rdata_nxt_t nxt;
 		result = dns_rdata_tostruct(rdata, sp = &nxt, mctx);
 		break;
 	}
 	case dns_rdatatype_opt: {
-		dns_rdata_opt_t opt;
+		static dns_rdata_opt_t opt;
 		result = dns_rdata_tostruct(rdata, sp = &opt, mctx);
 		break;
 	}
 	case dns_rdatatype_ptr: {
-		dns_rdata_ptr_t ptr;
+		static dns_rdata_ptr_t ptr;
 		result = dns_rdata_tostruct(rdata, sp = &ptr, mctx);
 		break;
 	}
 	case dns_rdatatype_px: {
-		dns_rdata_in_px_t in_px;
+		static dns_rdata_in_px_t in_px;
 		result = dns_rdata_tostruct(rdata, sp = &in_px, mctx);
 		break;
 	}
 	case dns_rdatatype_rp: {
-		dns_rdata_rp_t rp;
+		static dns_rdata_rp_t rp;
 		result = dns_rdata_tostruct(rdata, sp = &rp, mctx);
 		break;
 	}
 	case dns_rdatatype_rt: {
-		dns_rdata_rt_t rt;
+		static dns_rdata_rt_t rt;
 		result = dns_rdata_tostruct(rdata, sp = &rt, mctx);
 		break;
 	}
 	case dns_rdatatype_sig: {
-		dns_rdata_sig_t sig;
+		static dns_rdata_sig_t sig;
 		result = dns_rdata_tostruct(rdata, sp = &sig, mctx);
 		break;
 	}
 	case dns_rdatatype_soa: {
-		dns_rdata_soa_t soa;
+		static dns_rdata_soa_t soa;
 		result = dns_rdata_tostruct(rdata, sp = &soa, mctx);
 		break;
 	}
 	case dns_rdatatype_srv: {
-		dns_rdata_in_srv_t in_srv;
+		static dns_rdata_in_srv_t in_srv;
 		result = dns_rdata_tostruct(rdata, sp = &in_srv, mctx);
 		break;
 	}
 	case dns_rdatatype_tkey: {
-		dns_rdata_tkey_t tkey;
+		static dns_rdata_tkey_t tkey;
 		result = dns_rdata_tostruct(rdata, sp = &tkey, mctx);
 		break;
 	}
 	case dns_rdatatype_tsig: {
-		dns_rdata_any_tsig_t tsig;
+		static dns_rdata_any_tsig_t tsig;
 		result = dns_rdata_tostruct(rdata, sp = &tsig, mctx);
 		break;
 	}
 	case dns_rdatatype_txt: {
-		dns_rdata_txt_t txt;
+		static dns_rdata_txt_t txt;
 		result = dns_rdata_tostruct(rdata, sp = &txt, mctx);
 		break;
 	}
 	case dns_rdatatype_spf: {
-		dns_rdata_spf_t spf;
+		static dns_rdata_spf_t spf;
 		result = dns_rdata_tostruct(rdata, sp = &spf, mctx);
 		break;
 	}
 	case dns_rdatatype_unspec: {
-		dns_rdata_unspec_t unspec;
+		static dns_rdata_unspec_t unspec;
 		result = dns_rdata_tostruct(rdata, sp = &unspec, mctx);
 		break;
 	}
 	case dns_rdatatype_uri: {
-		dns_rdata_uri_t uri;
+		static dns_rdata_uri_t uri;
 		result = dns_rdata_tostruct(rdata, sp = &uri, mctx);
 		break;
 	}
 	case dns_rdatatype_wks: {
-		dns_rdata_in_wks_t in_wks;
+		static dns_rdata_in_wks_t in_wks;
 		result = dns_rdata_tostruct(rdata, sp = &in_wks, mctx);
 		break;
 	}
 	case dns_rdatatype_x25: {
-		dns_rdata_x25_t x25;
+		static dns_rdata_x25_t x25;
 		result = dns_rdata_tostruct(rdata, sp = &x25, mctx);
 		break;
 	}
 	case dns_rdatatype_nsec: {
-		dns_rdata_nsec_t nsec;
+		static dns_rdata_nsec_t nsec;
 		result = dns_rdata_tostruct(rdata, sp = &nsec, mctx);
 		break;
 	}
 	case dns_rdatatype_rrsig: {
-		dns_rdata_rrsig_t rrsig;
+		static dns_rdata_rrsig_t rrsig;
 		result = dns_rdata_tostruct(rdata, sp = &rrsig, mctx);
 		break;
 	}
 	case dns_rdatatype_dnskey: {
-		dns_rdata_dnskey_t dnskey;
+		static dns_rdata_dnskey_t dnskey;
 		result = dns_rdata_tostruct(rdata, sp = &dnskey, mctx);
 		break;
 	}
--- a/external/bsd/bind/dist/bin/tests/resolver/t_resolver.c
+++ b/external/bsd/bind/dist/bin/tests/resolver/t_resolver.c
@ -1,4 +1,4 @@
-/*	$NetBSD: t_resolver.c,v 1.6 2012/12/04 23:38:39 spz Exp $	*/
+/*	$NetBSD: t_resolver.c,v 1.7 2013/07/27 19:23:10 christos Exp $	*/

 /*
 * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
@ -87,7 +87,7 @@ make_resolver(dns_resolver_t **resolverp) {
 	isc_result_t result;

 	result = dns_resolver_create(view,
-			    task_manager, 1,
+			    task_manager, 1, 1,
 			    socket_manager,
 			    timer_manager,
 			    0, /* unsigned int options, */
--- a/external/bsd/bind/dist/bin/tests/shutdown_test.c
+++ b/external/bsd/bind/dist/bin/tests/shutdown_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: shutdown_test.c,v 1.4 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: shutdown_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2007, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -180,9 +180,13 @@ main(int argc, char *argv[]) {
 	isc__socket_register();
 	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);

-	if (argc > 1)
+	if (argc > 1) {
 		workers = atoi(argv[1]);
-	else
+		if (workers < 1)
+			workers = 1;
+		if (workers > 8192)
+			workers = 8192;
+	} else
 		workers = 2;
 	printf("%d workers\n", workers);

--- a/external/bsd/bind/dist/bin/tests/sig0_test.c
+++ b/external/bsd/bind/dist/bin/tests/sig0_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: sig0_test.c,v 1.4 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: sig0_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000, 2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -267,7 +267,7 @@ main(int argc, char *argv[]) {

 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&b, "child.example.", strlen("child.example."));
+	isc_buffer_constinit(&b, "child.example.", strlen("child.example."));
 	isc_buffer_add(&b, strlen("child.example."));
 	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
--- a/external/bsd/bind/dist/bin/tests/sock_test.c
+++ b/external/bsd/bind/dist/bin/tests/sock_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: sock_test.c,v 1.4 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: sock_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -207,8 +207,9 @@ my_listen(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * Queue another listen on this socket.
 		 */
-		isc_socket_accept(event->ev_sender, task, my_listen,
-				  event->ev_arg);
+		RUNTIME_CHECK(isc_socket_accept(event->ev_sender, task,
+						my_listen, event->ev_arg)
+			      == ISC_R_SUCCESS);

 		region.base = isc_mem_get(mctx, 20);
 		region.length = 20;
@ -268,9 +269,14 @@ main(int argc, char *argv[]) {
 	isc__task_register();
 	isc__timer_register();
 	isc__socket_register();
-	if (argc > 1)
+
+	if (argc > 1) {
 		workers = atoi(argv[1]);
-	else
+		if (workers < 1)
+			workers = 1;
+		if (workers > 8192)
+			workers = 8192;
+	} else
 		workers = 2;
 	printf("%d workers\n", workers);

--- a/external/bsd/bind/dist/bin/tests/system/checkconf/bad.conf
+++ b/external/bsd/bind/dist/bin/tests/system/checkconf/bad.conf
@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Id: bad.conf,v 1.4 2007/06/19 23:47:01 tbox Exp  */
-
-options {
-	avoid-v4-udp-ports { 100; }
-	avoid-v6-udp-ports { 100; };
-	blackhole { 10.0.0.0/8; };
-	coresize 1G;
-	datasize 100M;
-	deallocate-on-exit yes;
-	directory ".";
-	dump-file "named_dumpdb";
-	fake-iquery yes;
-	files 1000;
-	has-old-clients no;
-	heartbeat-interval 30;
-	host-statistics yes;
-	host-statistics-max 100;
-	hostname none;
-	interface-interval 30;
-	listen-on port 90 { any; };
-	listen-on port 100 { 127.0.0.1; };
-	listen-on-v6 port 53 { none; };
-	match-mapped-addresses yes;
-	memstatistics-file "named.memstats";
-	multiple-cnames no;
-	named-xfer "this is no longer needed";
-	pid-file none;
-	port 5300;
-	querylog yes;
-	recursing-file "named.recursing";
-	random-device "/dev/random";
-	recursive-clients 3000;
-	serial-queries 10;
-	serial-query-rate 100;
-	server-id none;
-};
--- a/external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf
+++ b/external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf
@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Bad secret */
-key "badtsig" {
-	algorithm hmac-md5;
-	secret "jEdD+BPKg==";
-};
-
--- a/external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c
+++ b/external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c
@ -1,7 +1,7 @@
-/*	$NetBSD: lwtest.c,v 1.4 2013/03/24 18:44:42 christos Exp $	*/
+/*	$NetBSD: lwtest.c,v 1.5 2013/07/27 19:23:11 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -402,7 +402,7 @@ test_gethostbyaddr(const char *address, int af, const char *name) {
 			return;
 		}
 	} else {
-		if (strcmp(hp->h_name, name) != 0) {
+		if (name != NULL && strcmp(hp->h_name, name) != 0) {
 			printf("I:gethostbyname(%s) returned %s, "
 			       "expected %s\n", address, hp->h_name, name);
 			fails++;
@ -442,7 +442,7 @@ test_getipnodebyaddr(const char *address, int af, const char *name) {
 			return;
 		}
 	} else {
-		if (strcmp(hp->h_name, name) != 0) {
+		if (name != NULL && strcmp(hp->h_name, name) != 0) {
 			printf("I:getipnodebyaddr(%s) returned %s, "
 			       "expected %s\n", address, hp->h_name, name);
 			freehostent(hp);
--- a/external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db
+++ b/external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db
@ -1,25 +0,0 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
-;
-; Permission to use, copy, modify, and/or distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; Id: redirect.db,v 1.3 2011/03/01 23:48:07 tbox Exp 
-
-$TTL 300
-@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
-@ IN NS ns.example.net
-;
-; NS records do not need address records in this zone as it is not in the
-; normal namespace.
-;
-*. IN A 100.100.100.1
-*. IN AAAA 2001:ffff:ffff::100.100.100.1
--- a/external/bsd/bind/dist/bin/tests/system/rpz/rpz.c
+++ b/external/bsd/bind/dist/bin/tests/system/rpz/rpz.c
@ -1,7 +1,7 @@
-/*	$NetBSD: rpz.c,v 1.4 2012/12/04 23:38:39 spz Exp $	*/
+/*	$NetBSD: rpz.c,v 1.5 2013/07/27 19:23:11 christos Exp $	*/

 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,8 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* Id: rpz.c,v 1.3 2011/01/13 04:59:24 tbox Exp  */
+/* Id */
+

 #include <config.h>

--- a/external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c
+++ b/external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c
@ -1,4 +1,4 @@
-/*	$NetBSD: bigkey.c,v 1.3 2013/03/24 18:44:42 christos Exp $	*/
+/*	$NetBSD: bigkey.c,v 1.4 2013/07/27 19:23:11 christos Exp $	*/

 /*
 * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
@ -208,7 +208,7 @@ main(int argc, char **argv) {
 	      "isc_log_usechannel()");
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, "example.", strlen("example."));
+	isc_buffer_constinit(&buf, "example.", strlen("example."));
 	isc_buffer_add(&buf, strlen("example."));
 	CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL),
 	      "dns_name_fromtext(\"example.\")");
--- a/external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c
+++ b/external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c
@ -1,7 +1,7 @@
-/*	$NetBSD: keycreate.c,v 1.4 2013/03/24 18:44:43 christos Exp $	*/
+/*	$NetBSD: keycreate.c,v 1.5 2013/07/27 19:23:11 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -152,14 +152,14 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 	isc_sockaddr_fromin(&address, &inaddr, PORT);

 	dns_fixedname_init(&keyname);
-	isc_buffer_init(&namestr, "tkeytest.", 9);
+	isc_buffer_constinit(&namestr, "tkeytest.", 9);
 	isc_buffer_add(&namestr, 9);
 	result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr,
 				   NULL, 0, NULL);
 	CHECK("dns_name_fromtext", result);

 	dns_fixedname_init(&ownername);
-	isc_buffer_init(&namestr, ownername_str, strlen(ownername_str));
+	isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str));
 	isc_buffer_add(&namestr, strlen(ownername_str));
 	result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
 				   NULL, 0, NULL);
--- a/external/bsd/bind/dist/bin/tests/task_test.c
+++ b/external/bsd/bind/dist/bin/tests/task_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: task_test.c,v 1.4 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: task_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -75,9 +75,14 @@ main(int argc, char *argv[]) {
 	isc__task_register();
 	isc__timer_register();
 	isc__socket_register();
-	if (argc > 1)
+
+	if (argc > 1) {
 		workers = atoi(argv[1]);
-	else
+		if (workers < 1)
+			workers = 1;
+		if (workers > 8192)
+			workers = 8192;
+	} else
 		workers = 2;
 	printf("%d workers\n", workers);

--- a/external/bsd/bind/dist/bin/tests/timer_test.c
+++ b/external/bsd/bind/dist/bin/tests/timer_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: timer_test.c,v 1.4 2013/03/24 18:44:41 christos Exp $	*/
+/*	$NetBSD: timer_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1998-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -108,9 +108,14 @@ main(int argc, char *argv[]) {
 	isc__task_register();
 	isc__timer_register();
 	isc__socket_register();
-	if (argc > 1)
+
+	if (argc > 1) {
 		workers = atoi(argv[1]);
-	else
+		if (workers < 1)
+			workers = 1;
+		if (workers > 8192)
+			workers = 8192;
+	} else
 		workers = 2;
 	printf("%d workers\n", workers);

--- a/external/bsd/bind/dist/bin/tests/zone_test.c
+++ b/external/bsd/bind/dist/bin/tests/zone_test.c
@ -1,7 +1,7 @@
-/*	$NetBSD: zone_test.c,v 1.4 2013/03/24 18:44:42 christos Exp $	*/
+/*	$NetBSD: zone_test.c,v 1.5 2013/07/27 19:23:10 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2002  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -102,7 +102,7 @@ setup(const char *zonename, const char *filename, const char *classname) {

 	dns_zone_settype(zone, zonetype);

-	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
@ -267,8 +267,12 @@ main(int argc, char **argv) {
 		case 'm':
 			memset(&addr, 0, sizeof(addr));
 			addr.type.sin.sin_family = AF_INET;
-			inet_pton(AF_INET, isc_commandline_argument,
-				  &addr.type.sin.sin_addr);
+			if (inet_pton(AF_INET, isc_commandline_argument,
+				      &addr.type.sin.sin_addr) != 1) {
+				fprintf(stderr, "bad master address '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
 			addr.type.sin.sin_port = htons(53);
 			break;
 		case 'q':
--- a/external/bsd/bind/dist/bin/tools/genrandom.c
+++ b/external/bsd/bind/dist/bin/tools/genrandom.c
@ -1,7 +1,7 @@
-/*	$NetBSD: genrandom.c,v 1.4 2013/03/24 18:44:43 christos Exp $	*/
+/*	$NetBSD: genrandom.c,v 1.5 2013/07/27 19:23:11 christos Exp $	*/

 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -99,6 +99,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();

--- a/external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8
+++ b/external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8
@ -1,6 +1,6 @@
-.\"	$NetBSD: isc-hmac-fixup.8,v 1.3 2012/06/05 00:39:36 christos Exp $
+.\"	$NetBSD: isc-hmac-fixup.8,v 1.4 2013/07/27 19:23:11 christos Exp $
 .\"
-.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@ -25,7 +25,7 @@
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
+.TH "ISC\-HMAC\-FIXUP" "8" "January 5, 2010" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@ -59,5 +59,5 @@ RFC 2104.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/config.h.in
+++ b/external/bsd/bind/dist/config.h.in
@ -283,6 +283,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <net/if6.h> header file. */
 #undef HAVE_NET_IF6_H

+/* Define if your OpenSSL version supports ECDSA. */
+#undef HAVE_OPENSSL_ECDSA
+
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST

@ -376,6 +379,10 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to allow building of objects for dlopen(). */
 #undef ISC_DLZ_DLOPEN

+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+   */
+#undef LT_OBJDIR
+
 /* Defined if extern char *optarg is not declared. */
 #undef NEED_OPTARG

@ -383,6 +390,9 @@ int sigwait(const unsigned int *set, int *sig);
   */
 #undef NEED_SECURE_DIRECTORY

+/* Use the new XML schema for statistics */
+#undef NEWSTATS
+
 /* Define to the address where bug reports for this package should be sent. */
 #undef PACKAGE_BUGREPORT

--- a/external/bsd/bind/dist/contrib/dbus/GetForwarders
+++ b/external/bsd/bind/dist/contrib/dbus/GetForwarders
@ -1,31 +0,0 @@
-#!/bin/bash
-#
-#  This script uses the named D-BUS support, which must be enabled in
-#  the running named with the named '-D' option, to get and print the
-#  list of forwarding zones in the running server.
-# 
-#  It accepts an optional <zone> first argument which is the DNS name 
-#  of the zone whose forwarders (if any) will be retrieved.
-#
-#  If no zone argument is specified, all forwarding zones will be listed.
-#
-#  Usage: GetForwarders [ <zone> ] 
-# 
-#  Copyright(C) Jason Vas Dias<jvdias@redhat.com> Red Hat Inc. 2005
-#
-#  This program is free software; you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation at 
-#           http://www.fsf.org/licensing/licenses/gpl.txt
-#  and included in this software distribution as the "LICENSE" file.
-#
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#
-zone=''
-if [ $# -gt 0 ]; then 
-   zone="string:$1";
-fi
-dbus-send --system --type=method_call --print-reply --reply-timeout=20000 --dest=com.redhat.named /com/redhat/named com.redhat.named.text.GetForwarders $zone;
--- a/external/bsd/bind/dist/contrib/dbus/INSTALL
+++ b/external/bsd/bind/dist/contrib/dbus/INSTALL
@ -1,9 +0,0 @@
-To build named with D-BUS support, run
-# make
-in this directory.
-Then cd to the top-level BIND source directory,
-(../..), and 
-# ./configure ...; make
-After building, cd back to contrib/dbus and run:
-# make install
-as root to install the D-BUS configuration files. 
--- a/external/bsd/bind/dist/contrib/dbus/Makefile.9.3.2b1
+++ b/external/bsd/bind/dist/contrib/dbus/Makefile.9.3.2b1
@ -1,20 +0,0 @@
-# contrib/dbus/Makefile
-# 
-# This Makefile will install D-BUS support into the ISC BIND 9.3.2b1+ source,
-# necessary to support dynamic forwarding table management with D-BUS, for
-# Red Hat NetworkManager support.
-#
-# After running "make" in this directory, simply run make in the top level
-# BIND source directory, and D-BUS support will be enabled.
-#
-
-all:
-	echo 'Enabling D-BUS support...'
-	@ cp -fp dbus_mgr.c dbus_service.c ../../bin/named;
-	@ cp -fp dbus_mgr.h dbus_service.h ../../bin/named/include/named;
-	@ cp -fp README.DBUS ../../doc/misc
-	@ cd ../..; patch -s -p1 -b --suffix=.dbus < contrib/dbus/bind-9.3.2b1-dbus.patch
-
-install:
-	install -o root -g root -m 640 named-dbus-system.conf /etc/dbus-1/system.d/named.conf
-	install -o root -g root -m 640 named-dbus.service /usr/share/dbus-1/services/named.service
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				`dh. IN KEY 0 2 2 AAEBAAAAYIHI/wjtOagNga9GILSoS02IVelgLilPE/TfhtvShsiDAXqb IfxQcj2JkuOnNLs5ttb2WZXWl5/jsSjIxHMwMF2XY4gwt/lwHBf/vgYH r7aIxnKXov1jk9rymTLHGKIOtg==`
				`@ -1 +0,0 @@`
				`dh. IN KEY 0 2 2 AAEBAAAAYOuaKjyMXYame2F6/ZFdEmXv0a2edB+69PEZgrExA6SJlivn 4KqAsfBHr/+0BCb+7nfWeMDSh2BXnSzWkXF1wMaCHMuz9EleG1gKFKeV Q9gKli88Cb8/jbovWChrGBNp2w==`
				`@ -1 +0,0 @@`
				`test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==`
				`@ -1 +0,0 @@`
				`test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx`