From: Victor Balada Diaz <victor@dragonflybsd.org>
Date: Thu, 15 Feb 2007 21:03:46 +0000 (+0000)
Subject: Import bind-9.3.4
X-Git-Tag: v2.0.1~3512^2
X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/194423db0ad6b8366b289ac659a772264e97ae3f

Import bind-9.3.4
---

diff --git a/contrib/bind-9.3/CHANGES b/contrib/bind-9.3/CHANGES
index 0cfafd20ab..acf2817b5b 100644
--- a/contrib/bind-9.3/CHANGES
+++ b/contrib/bind-9.3/CHANGES
@@ -1,11 +1,357 @@
 
-	--- 9.3.2-P1 released ---
+	--- 9.3.4 released ---
+
+2126.	[security]	Serialise validation of type ANY responses. [RT #16555]
+
+2124.	[security]	It was possible to dereference a freed fetch
+			context. [RT #16584]
+
+	--- 9.3.3 released ---
+
+2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
+
+2104.	[port]		Fix Solaris SMF error message.
+
+2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
+			under Solaris.
+
+2102.	[port]		Silence solaris 10 warnings.
+
+2101.	[bug]		OpenSSL version checks were not quite right.
+			[RT #16476]
+
+2100.	[port]		win32: copy libeay32.dll to Build\Debug.
+
+2099.	[port]		win32: more manifiest issues.
+
+	--- 9.3.3rc3 released ---
+
+2096.	[bug]		libbind: handle applications that fail to detect
+			res_init() failures better.
+
+2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
+			net_cidr_ntop_ipv6(). [RT #16388]
+ 
+2094.	[contrib]	Update named-bootconf.  [RT# 16404]
+
+2092.	[bug]		win32: dig, host, nslookup.  Use registry config
+			if resolv.conf does not exist or no nameservers
+			listed. [RT #15877] 
+
+2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
+
+2090.	[port]		win32: Visual C++ 2005 command line manifest support.
+			[RT #16417]
+
+2089.	[security]	Raise the minimum safe OpenSSL versions to
+			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
+			prior to these have known security flaws which
+			are (potentially) exploitable in named. [RT #16391]
+
+2088.	[security]	Change the default RSA exponent from 3 to 65537.
+			[RT #16391]
+
+2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
+			[RT #16403]
+
+2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
+
+2084.	[contrib]	dbus update for 9.3.3rc2.
+
+2083.	[port]		win32: Visual C++ 2005 support.
+
+2082.	[doc]		Document 'cache-file' as a test only option.
+
+	--- 9.3.3rc2 released ---
+
+2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
+			[RT #16360]
+
+2080.	[port]		libbind: res_init.c did not compile on older versions
+			of Solaris. [RT #16363]
+
+2076.	[bug]		Several files were missing #include <config.h>
+			causing build failures on OSF. [RT #16341]
+
+2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
+			dns_request_createraw2() and dns_request_createraw3()
+			failed to send multiple UDP requests. [RT #16349]
 
 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
 
+	--- 9.3.3rc1 released ---
+
+2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
+			[RT #16324]
+
+2070.	[bug]		The remote address was not always displayed when
+			reporting dispatch failures. [RT #16315]
+
+2069.	[bug]		Cross compiling was not working. [RT #16330]
+
+2067.	[bug]		'rndc' could close the socket too early triggering
+			a INSIST under Windows. [RT #16317]
+
+2065.	[bug]		libbind: probe for HPUX prototypes for
+			endprotoent_r() and endservent_r().  [RT 16313]
+
+2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
+
+2063.	[bug]		Change #1955 introduced a bug which caused the first
+			'rndc flush' call to not free memory. [RT #16244]
+
+2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
+			been returned by the socket code. [RT #16307]
+
+2057.	[bug]		Make setting "ra" dependent on both allow-query and
+			allow-recursion. [RT #16290]
+
+2056.	[bug]		dig: ixfr= was not being treated case insensitively
+			at all times. [RT #15955]
+
+2055.	[bug]		Missing goto after dropping multicast query.
+			[RT #15944]
+
+2054.	[port]		freebsd: do not explicitly link against -lpthread.
+			[RT #16170]
+
+2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
+
+2052.	[bug]		'rndc' improve connect failed message to report
+			the failing address. [RT #15978]
+
+2051.	[port]		More strtol() fixes. [RT #16249]
+
+2050.	[bug]		Parsing of NSAP records was not case insensitive.
+			[RT #16287]
+
+2049.	[bug]		Restore SOA before AXFR when falling back from
+			a attempted IXFR when transfering in a zone.
+			Allow a initial SOA query before attempting
+			a AXFR to be requested. [RT #16156]
+
+2048.	[bug]		It was possible to loop forever when using
+			avoid-v4-udp-ports / avoid-v6-udp-ports when
+			the OS always returned the same local port.
+			[RT #16182]
+
+2047.	[bug]		Failed to initialise the interface flags to zero.
+			[RT #16245]
+
+2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
+			for interactive sessions. [RT#16148]
+
+2038.	[bug]		dig/nslookup/host was unlinking from wrong list
+			when handling errors. [RT #16122]
+
+2037.	[func]		When unlinking the first or last element in a list
+			check that the list head points to the element to
+			be unlinked. [RT #15959]
+
+2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
+			[RT #16075]
+
+2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
+
+	--- 9.3.3b1 released ---
+
+2031.	[bug]		Emit a error message when "rndc refresh" is called on
+			a non slave/stub zone. [RT # 16073]
+
+2030.	[bug]		We were being overly conservative when disabling
+			openssl engine support. [RT #16030]
+
+2029.	[bug]		host printed out the server multiple times when
+			specified on the command line. [RT #15992]
+
+2028.	[port]		linux: socket.c compatability for old systems.
+			[RT #16015]
+
+2027.	[port]		libbind: Solaris x86 support. [RT #16020]
+
+2026.	[bug]		Rate limit the two recursive client exceeded messages.
+			[RT #16044]
+
+2024.	[bug]		named emited spurious "zone serial unchanged"
+			messages on reload. [RT #16027]
+
+2023.	[bug]		"make install" should create ${localstatedir}/run and
+			${sysconfdir} if they do not exist. [RT #16033]
+
+2016.	[bug]		Return a partial answer if recursion is not
+			allowed but requested and we had the answer
+			to the original qname. [RT #15945]
+
+2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
+			responses more gracefully. [RT #15941]
+
+2009.	[bug]		libbind: coverity fixes. [RT #15808]
+
+2005.	[bug]		libbind: Retransmission timeouts should be
+			based on which attempt it is to the nameserver
+			and not the nameserver itself. [RT #13548]
+
+2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
+			dst_context_destroy() when cleaning up after a
+			error. [RT #15835]
+
+2003.	[bug]		libbind: The DNS name/address lookup functions could
+			occasionally follow a random pointer due to
+			structures not being completely zeroed. [RT #15806]
+
+2002.	[bug]		libbind: tighten the constraints on when
+			struct addrinfo._ai_pad exists.  [RT #15783]
+
+2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
+
+1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
+			This allows named to connect to entropy gathering
+			daemons that use fifos instead of sockets. [RT #15840]
+
+1997.	[bug]		Named was failing to replace negative cache entries
+			when a positive one for the type was learnt.
+			[RT #15818]
+
+1995.	[bug]		'host' was reporting multiple "is an alias" messages.
+			[RT #15702]
+
+1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
+
+1993.	[bug]		Log messsage, via syslog, were missing the space
+			after the timestamp if "print-time yes" was specified.
+			[RT #15844]
+
+1991.	[cleanup]	The configuration data, once read, should be treated
+			as readonly.  Expand the use of const to enforce this
+			at compile time. [RT #15813]
+
+1990.	[bug]		libbind:  isc's override of broken gettimeofday()
+			implementions was not always effective.
+			[RT #15709]
+
+1989.	[bug]		win32: don't check the service password when
+			re-installing. [RT #15882]
+
+1985.	[protocol]	DLV has now been assigned a official type code of
+			32769. [RT #15807]
+
+			Note: care should be taken to ensure you upgrade
+			both named and dnssec-signzone at the same time for
+			zones with DLV records where named is the master
+			server for the zone.  Also any zones that contain
+			DLV records should be removed when upgrading a slave
+			zone.  You do not however have to upgrade all
+			servers for a zone with DLV records simultaniously.
+
+1982.	[bug]		DNSKEY was being accepted on the parent side of
+			a delegation.  KEY is still accepted there for
+			RFC 3007 validated updates. [RT #15620]
+
+1981.	[bug]		win32: condition.c:wait() could fail to reattain
+			the mutex lock.
+
+1979.	[port]		linux: allow named to drop core after changing
+			user ids. [RT #15753]
+
+1978.	[port]		Handle systems which have a broken recvmsg().
+			[RT #15742]
+
+1977.	[bug]		Silence noisy log message. [RT #15704]
+
+1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
+
+1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
+			hex strings with comments. [RT #15814]
+
+1974.	[doc]		List each of the zone types and associated zone
+			options seperately in the ARM.
+
+1972.	[contrib]	DBUS dynamic forwarders integation from
+			Jason Vas Dias <jvdias@redhat.com>.
+
+1971.	[port]		linux: make detection of missing IF_NAMESIZE more
+			robust. [RT #15443]
+
+1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
+			unsigned SOA query. [RT #15775]
+
+1969.	[bug]		win32: the socket code was freeing the socket
+			structure too early. [RT #15776]
+
+1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
+
+1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
+			[RT #15727]
+
+1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
+			[RT #15586]
+
+1962.	[bug]		Named failed to clear old update-policy when it
+			was removed. [RT #15491]
+
+1961.	[bug]		Check the port and address of responses forwarded
+			to dispatch. [RT #15474]
+
+1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
+			[RT #15465]
+
+1958.	[bug]		Named failed to update the zone's secure state
+			until the zone was reloaded. [RT #15412]
+
+1957.	[bug]		Dig mishandled responses to class ANY queries.
+			[RT #15402]
+
+1956.	[bug]		Improve cross compile support, 'gen' is now built
+			by native compiler.  See README for additional
+			cross compile support information. [RT #15148]
+
+1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]
+
+1952.	[port]		hpux: tell the linker to build a runtime link
+			path "-Wl,+b:". [RT #14816].
+
+1951.	[security]	Drop queries from particular well known ports.
+			Don't return FORMERR to queries from particular
+			well known ports.  [RT #15636]
+			
+1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
+			a TCP socket. This prevents the source address being
+			set for TCP connections. [RT #15628]
+
+1948.	[bug]		If was possible to trigger a REQUIRE failure in
+			xfrin.c:maybe_free() if named ran out of memory.
+			[RT #15568]
+
+1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
+			when using forwarders. [RT #15549]
+
+1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
+			[RT #15522]
+
+1943.	[bug]		Set the loadtime after rolling forward the journal.
+			[RT #15647]
+
+1942.	[bug]		If the name of a DNSKEY match that of one in
+			trusted-keys do not attempt to validate the DNSKEY
+			using the parents DS RRset. [RT #15649]
+
 1941.	[bug]		ncache_adderesult() should set eresult even if no
 			rdataset is passed to it. [RT #15642]
 
+1940.	[bug]		Fixed a number of error conditions reported by
+			Coverity.
+
+1939.	[bug]           The resolver could dereference a null pointer after
+			validation if all the queries have timed out.
+			[RT #15528]
+
+1938.	[bug]		The validator was not correctly handling unsecure
+			negative responses at or below a SEP. [RT #15528]
+
+1919.	[contrib]	queryperf: a set of new features: collecting/printing
+			response delays, printing intermediate results, and
+			adjusting query rate for the "target" qps.
+
 	--- 9.3.2 released ---
 
 	--- 9.3.2rc1 released ---
@@ -323,14 +669,14 @@
 
 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
 
-1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
+1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
+1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-                        IN6ADDR_LOOPBACK_INIT macros.
+1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
 
 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
 
@@ -1173,8 +1519,8 @@
 
 1414.	[func]		Support for KSK flag.
 
-1413.	[func]		Explictly request the (re-)generation of DS records from
-			keysets (dnssec-signzone -g).
+1413.	[func]		Explicitly request the (re-)generation of DS records
+			from keysets (dnssec-signzone -g).
 
 1412.	[func]		You can now specify servers to be tried if a nameserver
 			has IPv6 address and you only support IPv4 or the
@@ -5571,7 +5917,7 @@
 			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
 			<isc/net.h>.
 
- 119.	[cleanup]	structure definitions for generic rdata stuctures do
+ 119.	[cleanup]	structure definitions for generic rdata structures do
 			not have _generic_ in their names.
 
  118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
diff --git a/contrib/bind-9.3/COPYRIGHT b/contrib/bind-9.3/COPYRIGHT
index 484dac8e45..8bbcf244d6 100644
--- a/contrib/bind-9.3/COPYRIGHT
+++ b/contrib/bind-9.3/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.6.2.2.8.3 2005/01/10 23:51:37 marka Exp $
+$Id: COPYRIGHT,v 1.6.2.2.8.4 2006/01/04 00:37:22 marka Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/contrib/bind-9.3/FAQ b/contrib/bind-9.3/FAQ
index 9b806cbde5..ba87de2165 100644
--- a/contrib/bind-9.3/FAQ
+++ b/contrib/bind-9.3/FAQ
@@ -1,29 +1,43 @@
 Frequently Asked Questions about BIND 9
 
+Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+
+Copyright © 2000-2003 Internet Software Consortium.
+
 -------------------------------------------------------------------------------
 
 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
 
-A: Linux threads do not fully implement the Posix threads (pthreads) standard.
-   In particular, setuid() operates only on the current thread, not the full
-   process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
-   it can on all other supported platforms. setuid() cannot be called before
-   creating threads, since the server does not start listening on reserved
-   ports until after threads have started.
+A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
+   particular, setuid() operates only on the current thread, not the full process.
+   Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
+   all other supported platforms. setuid() cannot be called before creating
+   threads, since the server does not start listening on reserved ports until
+   after threads have started.
 
    In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
    capabilities across a setuid() call is present. This allows BIND 9 to call
-   setuid() early, while retaining the ability to bind reserved ports. This is
-   a Linux-specific hack.
+   setuid() early, while retaining the ability to bind reserved ports. This is a
+   Linux-specific hack.
 
-   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
-   of a security risk than a root process that has not dropped privileges.
+   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
+   a security risk than a root process that has not dropped privileges.
 
    If Linux threads ever work correctly, this restriction will go away.
 
    Configuring BIND9 with the --disable-threads option (the default) causes a
    non-threaded version to be built, which will allow -u to be used.
 
+Q: Why do I get the following errors:
+
+   general: errno2result.c:109: unexpected error:
+   general: unable to convert errno to isc_result: 14: Bad address
+   client: UDP client handler shutting down due to fatal receive error: unexpected error
+
+A: This is the result of a Linux kernel bug.
+
+   See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
+
 Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
    instead"?
 
@@ -40,23 +54,26 @@ A: Your zone file is illegal according to RFC1035. It must either have a line
 Q: Why do I see 5 (or more) copies of named on Linux?
 
 A: Linux threads each show up as a process under ps. The approximate number of
-   threads running is n+4, where n is the number of CPUs. Note that the amount
-   of memory used is not cumulative; if each process is using 10M of memory,
-   only a total of 10M is used.
+   threads running is n+4, where n is the number of CPUs. Note that the amount of
+   memory used is not cumulative; if each process is using 10M of memory, only a
+   total of 10M is used.
+
+   Newer versions of Linux's ps command hide the individual threads and require -L
+   to display them.
 
 Q: Why does BIND 9 log "permission denied" errors accessing its configuration
    files or zones on my Linux system even though it is running as root?
 
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore, if
-   the server is running as root, the configuration files and zone files should
-   also be owned by root.
+A: On Linux, BIND 9 drops most of its root privileges on startup. This including
+   the privilege to open files owned by other users. Therefore, if the server is
+   running as root, the configuration files and zone files should also be owned by
+   root.
 
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
-   bar: ran out of space"?
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
+   ran out of space"?
 
-A: This is often caused by TXT records with missing close quotes. Check that
-   all TXT records containing quoted strings have both open and close quotes.
+A: This is often caused by TXT records with missing close quotes. Check that all
+   TXT records containing quoted strings have both open and close quotes.
 
 Q: How do I produce a usable core file from a multithreaded named on Linux?
 
@@ -68,16 +85,16 @@ A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
 
 Q: How do I restrict people from looking up the server version?
 
-A: Put a "version" option containing something other than the real version in
-   the "options" section of named.conf. Note doing this will not prevent
-   attacks and may impede people trying to diagnose problems with your server.
-   Also it is possible to "fingerprint" nameservers to determine their version.
+A: Put a "version" option containing something other than the real version in the
+   "options" section of named.conf. Note doing this will not prevent attacks and
+   may impede people trying to diagnose problems with your server. Also it is
+   possible to "fingerprint" nameservers to determine their version.
 
 Q: How do I restrict only remote users from looking up the server version?
 
-A: The following view statement will intercept lookups as the internal view
-   that holds the version information will be matched last. The caveats of the
-   previous answer still apply, of course.
+A: The following view statement will intercept lookups as the internal view that
+   holds the version information will be matched last. The caveats of the previous
+   answer still apply, of course.
 
    view "chaos" chaos {
            match-clients { <those to be refused>; };
@@ -91,48 +108,45 @@ A: The following view statement will intercept lookups as the internal view
 Q: What do "no source of entropy found" or "could not open entropy source foo"
    mean?
 
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source of
-   entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the random-device
-   option in named.conf.
+A: The server requires a source of entropy to perform certain operations, mostly
+   DNSSEC related. These messages indicate that you have no source of entropy. On
+   systems with /dev/random or an equivalent, it is used by default. A source of
+   entropy can also be defined using the random-device option in named.conf.
 
 Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
 
 A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
    under /usr. Check that the correct named is running.
 
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
-   I'm sure I have the keys set up correctly, but the server is rejecting the
-   TSIG. Why?
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
+   sure I have the keys set up correctly, but the server is rejecting the TSIG.
+   Why?
 
-A: This may be a clock skew problem. Check that the the clocks on the client
-   and server are properly synchronised (e.g., using ntp).
+A: This may be a clock skew problem. Check that the the clocks on the client and
+   server are properly synchronised (e.g., using ntp).
 
 Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
    found. Why?
 
 A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
-   doesn't work. If you are using one of these, use normal make or gmake
-   instead.
+   doesn't work. If you are using one of these, use normal make or gmake instead.
 
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
-   error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
-   What's wrong?
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
+   messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
+   wrong?
 
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
-   BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
-   slave despite the error message.
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
+   8.2.4. It can be safely ignored - the notify has been acted on by the slave
+   despite the error message.
 
 Q: I keep getting log messages like the following. Why?
 
    Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
-   failed: 'RRset exists (value dependent)' prerequisite not satisfied
-   (NXRRSET)
+   failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
 
-A: DNS updates allow the update request to test to see if certain conditions
-   are met prior to proceeding with the update. The message above is saying
-   that conditions were not met and the update is not proceeding. See doc/rfc/
+A: DNS updates allow the update request to test to see if certain conditions are
+   met prior to proceeding with the update. The message above is saying that
+   conditions were not met and the update is not proceeding. See doc/rfc/
    rfc2136.txt for more details on prerequisites.
 
 Q: I keep getting log messages like the following. Why?
@@ -140,11 +154,11 @@ Q: I keep getting log messages like the following. Why?
    Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
 
 A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
-   protocol. Windows 2000 machines have a habit of sending dynamic update
-   requests to DNS servers without being specifically configured to do so. If
-   the update requests are coming from a Windows 2000 machine, see http://
-   support.microsoft.com/support/kb/articles/q246/8/04.asp for information
-   about how to turn them off.
+   protocol. Windows 2000 machines have a habit of sending dynamic update requests
+   to DNS servers without being specifically configured to do so. If the update
+   requests are coming from a Windows 2000 machine, see http://
+   support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
+   how to turn them off.
 
 Q: I see a log message like the following. Why?
 
@@ -152,59 +166,59 @@ Q: I see a log message like the following. Why?
 
 A: You are most likely running named as a non-root user, and that user does not
    have permission to write in /var/run. The common ways of fixing this are to
-   create a /var/run/named directory owned by the named user and set pid-file
-   to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
-   put the file in the directory specified by the directory option (which, in
-   this case, must be writable by the named user).
-
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of the
-   way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
-   avoid promoting glue into answers.
-
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a root
-   server, and these records are eligible for inclusion as additional data in
-   responses. Subsequently it receives a subset of the root server addresses as
-   additional data in a non-authoritative (referral) response from a root
-   server. This causes the addresses to now be considered non-authoritative
-   (glue) data, which is not eligible for inclusion in responses.
+   create a /var/run/named directory owned by the named user and set pid-file to "
+   /var/run/named/named.pid", or set pid-file to "named.pid", which will put the
+   file in the directory specified by the directory option (which, in this case,
+   must be writable by the named user).
+
+Q: When I do a "dig . ns", many of the A records for the root servers are missing.
+   Why?
+
+A: This is normal and harmless. It is a somewhat confusing side effect of the way
+   BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
+   promoting glue into answers.
+
+   When BIND 9 first starts up and primes its cache, it receives the root server
+   addresses as additional data in an authoritative response from a root server,
+   and these records are eligible for inclusion as additional data in responses.
+   Subsequently it receives a subset of the root server addresses as additional
+   data in a non-authoritative (referral) response from a root server. This causes
+   the addresses to now be considered non-authoritative (glue) data, which is not
+   eligible for inclusion in responses.
 
    The server does have a complete set of root server addresses cached at all
    times, it just may not include all of them as additional data, depending on
-   whether they were last received as answers or as glue. You can always look
-   up the addresses with explicit queries like "dig a.root-servers.net A".
+   whether they were last received as answers or as glue. You can always look up
+   the addresses with explicit queries like "dig a.root-servers.net A".
 
 Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
 
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked around
-   by setting the option "transfer-format one-answer;". Also check whether your
-   zone contains domain names with embedded spaces or other special characters,
-   like "John\032Doe\213s\032Computer", since such names have been known to
-   cause Windows 2000 slaves to incorrectly reject the zone.
+A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
+   larger than 16K are not handled properly. This can be worked around by setting
+   the option "transfer-format one-answer;". Also check whether your zone contains
+   domain names with embedded spaces or other special characters, like "John\
+   032Doe\213s\032Computer", since such names have been known to cause Windows
+   2000 slaves to incorrectly reject the zone.
 
 Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
 
-A: A zone can be updated either by editing zone files and reloading the server
-   or by dynamic update, but not both. If you have enabled dynamic update for a
-   zone using the "allow-update" option, you are not supposed to edit the zone
-   file by hand, and the server will not attempt to reload it.
+A: A zone can be updated either by editing zone files and reloading the server or
+   by dynamic update, but not both. If you have enabled dynamic update for a zone
+   using the "allow-update" option, you are not supposed to edit the zone file by
+   hand, and the server will not attempt to reload it.
 
 Q: I can query the nameserver from the nameserver but not from other machines.
    Why?
 
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
+A: This is usually the result of the firewall configuration stopping the queries
+   and / or the replies.
 
 Q: How can I make a server a slave for both an internal and an external view at
-   the same time? When I tried, both views on the slave were transferred from
-   the same view on the master.
+   the same time? When I tried, both views on the slave were transferred from the
+   same view on the master.
 
-A: You will need to give the master and slave multiple IP addresses and use
-   those to make sure you reach the correct view on the other machine.
+A: You will need to give the master and slave multiple IP addresses and use those
+   to make sure you reach the correct view on the other machine.
 
    Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
        internal:
@@ -232,8 +246,8 @@ A: You will need to give the master and slave multiple IP addresses and use
            transfer-source 10.0.1.4;
            query-source address 10.0.1.4;
 
-   You put the external address on the alias so that all the other dns clients
-   on these boxes see the internal view by default.
+   You put the external address on the alias so that all the other dns clients on
+   these boxes see the internal view by default.
 
 A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
@@ -248,7 +262,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.2 { keys external; };
+                   server 10.0.1.2 { keys external; };
                    recursion no;
                    ...
            };
@@ -264,7 +278,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.1 { keys external; };
+                   server 10.0.1.1 { keys external; };
                    recursion no;
                    ...
            };
@@ -272,8 +286,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
 
 A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
-   certain interrupts as a source of random events. You can make this permanent
-   by setting rand_irqs in /etc/rc.conf.
+   certain interrupts as a source of random events. You can make this permanent by
+   setting rand_irqs in /etc/rc.conf.
 
    /etc/rc.conf
    rand_irqs="3 14 15"
@@ -283,34 +297,33 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
 Q: Why is named listening on UDP port other than 53?
 
 A: Named uses a system selected port to make queries of other nameservers. This
-   behaviour can be overridden by using query-source to lock down the port and/
-   or address. See also notify-source and transfer-source.
+   behaviour can be overridden by using query-source to lock down the port and/or
+   address. See also notify-source and transfer-source.
 
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
-   other data" when transferring a zone. What does this mean?
+Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
+   data" when transferring a zone. What does this mean?
 
 A: These indicate a malformed master zone. You can identify the exact records
-   involved by transferring the zone using dig then running named-checkzone on
-   it.
+   involved by transferring the zone using dig then running named-checkzone on it.
 
    dig axfr example.com @master-server > tmp
    named-checkzone example.com tmp
 
-   A CNAME record cannot exist with the same name as another record except for
-   the DNSSEC records which prove its existance (NSEC).
+   A CNAME record cannot exist with the same name as another record except for the
+   DNSSEC records which prove its existance (NSEC).
 
    RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
    should be present; this ensures that the data for a canonical name and its
-   aliases cannot be different. This rule also insures that a cached CNAME can
-   be used without checking with an authoritative server for other RR types."
+   aliases cannot be different. This rule also insures that a cached CNAME can be
+   used without checking with an authoritative server for other RR types."
 
-Q: I get error messages like "named.conf:99: unexpected end of input" where 99
-   is the last line of named.conf.
+Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
+   the last line of named.conf.
 
 A: Some text editors (notepad and wordpad) fail to put a line title indication
-   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
-   a blank line to the end of the file. Named expects to see EOF immediately
-   after EOL and treats text files where this is not met as truncated.
+   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
+   blank line to the end of the file. Named expects to see EOF immediately after
+   EOL and treats text files where this is not met as truncated.
 
 Q: I get warning messages like "zone example.com/IN: refresh: failure trying
    master 1.2.3.4#53: timed out".
@@ -319,15 +332,15 @@ A: Check that you can make UDP queries from the slave to the master
 
    dig +norec example.com soa @1.2.3.4
 
-   You could be generating queries faster than the slave can cope with. Lower
-   the serial query rate.
+   You could be generating queries faster than the slave can cope with. Lower the
+   serial query rate.
 
    serial-query-rate 5; // default 20
 
 Q: How do I share a dynamic zone between multiple views?
 
-A: You choose one view to be master and the second a slave and transfer the
-   zone between views.
+A: You choose one view to be master and the second a slave and transfer the zone
+   between views.
 
    Master 10.0.1.1:
            key "external" {
@@ -370,14 +383,14 @@ Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
    file primaries/wireless.ietf56.ietf.org: no owner".
 
 A: This error is produced when a line in the master file contains leading white
-   space (tab/space) but the is no current record owner name to inherit the
-   name from. Usually this is the result of putting white space before a
-   comment. Forgeting the "@" for the SOA record or indenting the master file.
+   space (tab/space) but the is no current record owner name to inherit the name
+   from. Usually this is the result of putting white space before a comment.
+   Forgeting the "@" for the SOA record or indenting the master file.
 
 Q: Why are my logs in GMT (UTC).
 
-A: You are running chrooted (-t) and have not supplied local timzone
-   information in the chroot area.
+A: You are running chrooted (-t) and have not supplied local timzone information
+   in the chroot area.
 
    FreeBSD: /etc/localtime
    Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
@@ -395,23 +408,23 @@ Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
 
 A: This is usually a configuration error.
 
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g <usual
-   arguments>" from a title can help at this point.
+   First ensure that named is running and no errors are being reported at startup
+   (/var/log/messages or equivalent). Running "named -g <usual arguments>" from a
+   title can help at this point.
 
    Secondly ensure that named is configured to use rndc either by "rndc-confgen
-   -a", rndc-confgen or manually. The Administrators Reference manual has
-   details on how to do this.
+   -a", rndc-confgen or manually. The Administrators Reference manual has details
+   on how to do this.
 
    Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
    rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
    the default server listed in /etc/rndc.conf matches the addresses used in
    named.conf. "localhost" has two address (127.0.0.1 and ::1).
 
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure that
-   /etc/rndc.conf has the correct ownership and that a copy is in the chroot
-   area. You can do this by re-running "rndc-confgen -a" with appropriate -t
-   and -u arguments.
+   If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
+   etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
+   You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
+   arguments.
 
 Q: I don't get RRSIG's returned when I use "dig +dnssec".
 
@@ -419,12 +432,11 @@ A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
 
 Q: I get "Error 1067" when starting named under Windows.
 
-A: This is the service manager saying that named exited. You need to examine
-   the Application log in the EventViewer to find out why.
+A: This is the service manager saying that named exited. You need to examine the
+   Application log in the EventViewer to find out why.
 
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
+   Common causes are that you failed to create "named.conf" (usually "C:\windows\
+   dns\etc\named.conf") or failed to specify the directory in named.conf.
 
    options {
            Directory "C:\windows\dns\etc";
@@ -439,11 +451,11 @@ A: These indicate a filesystem permission error preventing named creating /
 
    "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
 
-   Named needs write permission on the directory containing the file. Named
-   writes the new cache file to a temporary file then renames it to the name
-   specified in named.conf to ensure that the contents are always complete.
-   This is to prevent named loading a partial zone in the event of power
-   failure or similar interrupting the write of the master file.
+   Named needs write permission on the directory containing the file. Named writes
+   the new cache file to a temporary file then renames it to the name specified in
+   named.conf to ensure that the contents are always complete. This is to prevent
+   named loading a partial zone in the event of power failure or similar
+   interrupting the write of the master file.
 
    Note file names are relative to the directory specified in options and any
    chroot directory ([<chroot dir>/][<options dir>]).
@@ -489,8 +501,8 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
 
    If you are not using these private addresses then a client has queried for
    them. You can just ignore the messages, get the offending client to stop
-   sending you these messages as they are most probably leaking them or setup
-   your own zones empty zones to serve answers to these queries.
+   sending you these messages as they are most probably leaking them or setup your
+   own zones empty zones to serve answers to these queries.
 
    zone "10.IN-ADDR.ARPA" {
            type master;
@@ -523,3 +535,141 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
 
    Future versions of named are likely to do this automatically.
 
+Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+
+   Why can't named update slave zone database files?
+
+   Why can't named create DDNS journal files or update the master zones from
+   journals?
+
+   Why can't named create custom log files?
+
+A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
+
+   Red Hat have adopted the National Security Agency's SELinux security policy (
+   see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
+   are more secure than running named in a chroot and make use of the bind-chroot
+   environment unecessary .
+
+   By default, named is not allowed by the SELinux policy to write, create or
+   delete any files EXCEPT in these directories:
+
+   $ROOTDIR/var/named/slaves
+   $ROOTDIR/var/named/data
+   $ROOTDIR/var/tmp
+
+
+   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
+
+   The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
+   /named directory, the default location for master zone database files.
+
+   SELinux policy overrules file access permissions - so even if all the files
+   under /var/named have ownership named:named and mode rw-rw-r--, named will
+   still not be able to write or create files except in the directories above,
+   with SELinux in Enforcing mode.
+
+   So, to allow named to update slave or DDNS zone files, it is best to locate
+   them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
+
+   zone "slave.zone." IN {
+           type slave;
+           file "slaves/slave.zone.db";
+           ...
+   };
+   zone "ddns.zone." IN  {
+           type master;
+           allow-updates {...};
+           file "slaves/ddns.zone.db";
+   };
+
+
+   To allow named to create its cache dump and statistics files, for example, you
+   could use named.conf options statements such as:
+
+   options {
+           ...
+           dump-file "/var/named/data/cache_dump.db";
+           statistics-file "/var/named/data/named_stats.txt";
+           ...
+   };
+
+
+   You can also tell SELinux to allow named to update any zone database files, by
+   setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
+   using the system-config-securitylevel GUI, using the 'setsebool' command, or in
+   /etc/selinux/targeted/booleans.
+
+   You can disable SELinux protection for named entirely by setting the
+   'named_disable_trans=1' SELinux tunable boolean parameter.
+
+   The SELinux named policy defines these SELinux contexts for named:
+
+   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
+   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+
+
+   If you want to retain use of the SELinux policy for named, and put named files
+   in different locations, you can do so by changing the context of the custom
+   file locations .
+
+   To create a custom configuration file location, eg. '/root/named.conf', to use
+   with the 'named -c' option, do:
+
+   # chcon system_u:object_r:named_conf_t /root/named.conf
+
+
+   To create a custom modifiable named data location, eg. '/var/log/named' for a
+   log file, do:
+
+   # chcon system_u:object_r:named_cache_t /var/log/named
+
+
+   To create a custom zone file location, eg. /root/zones/, do:
+
+   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+
+
+   See these man-pages for more information : selinux(8), named_selinux(8), chcon
+   (1), setsebool(8)
+
+Q: I want to forward all DNS queries from my caching nameserver to another server.
+   But there are some domains which have to be served locally, via rbldnsd.
+
+   How do I achieve this ?
+
+A: options {
+           forward only;
+           forwarders { <ip.of.primary.nameserver>; };
+   };
+
+   zone "sbl-xbl.spamhaus.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+   zone "list.dsbl.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+
+Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
+
+A: No, so long as the machines internal clock (as reported by "date -u") remains
+   at UTC. The only visible change if you fail to upgrade your OS, if you are in a
+   affected area, will be that log messages will be a hour out during the period
+   where the old rules do not match the new rules.
+
+   For most OS's this change just means that you need to update the conversion
+   rules from UTC to local time. Normally this involves updating a file in /etc
+   (which sets the default timezone for the machine) and possibly a directory
+   which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
+   When updating the OS do not forget to update any chroot areas as well. See your
+   OS's documetation for more details.
+
+   The local timezone conversion rules can also be done on a individual basis by
+   setting the TZ envirionment variable appropriately. See your OS's documentation
+   for more details.
+
diff --git a/contrib/bind-9.3/README b/contrib/bind-9.3/README
index 574b07d732..4763e53b89 100644
--- a/contrib/bind-9.3/README
+++ b/contrib/bind-9.3/README
@@ -42,6 +42,14 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+BIND 9.3.4
+
+	BIND 9.3.4 is a security release.
+
+BIND 9.3.3
+
+        BIND 9.3.3 is a maintenance release, containing fixes for
+        a number of bugs in 9.3.2.
 
 BIND 9.3.2
 
@@ -194,6 +202,9 @@ BIND 9.2.0
 
 		--with-libtool does not work on AIX.
 
+		--with-libtool does not work on SunOS 4.  configure
+		requires "printf" which is not available.
+
 	A bug in the Windows 2000 DNS server can cause zone transfers
 	from a BIND 9 server to a W2K server to fail.  For details,
 	see the "Zone Transfers" section in doc/misc/migration.
@@ -226,7 +237,7 @@ Building
 	        Red Hat Linux 7.1
 		Debian GNU/Linux 2.2 and 3.0
 		Mandrake 8.1
-		OpenBSD 2.6, 2.8, 2.9
+		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
 		UnixWare 7.1.1
 		HP-UX 10.20
 		BSD/OS 4.2
@@ -265,10 +276,23 @@ Building
 		Enable DNSSEC signature chasing support in dig.
 		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
 				    -DDIG_SIGCHASE_BU=1)
+		Disable dropping queries from particular well known ports.
+		  -DNS_CLIENT_DROPPORT=0
 
 	    LDFLAGS
 		Linker flags. Defaults to empty string.
 
+	The following need to be set when cross compiling.
+
+	    BUILD_CC
+		The native C compiler.
+	    BUILD_CFLAGS (optional)
+	    BUILD_CPPFLAGS (optional)
+		Possible Settings:
+		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
+	    BUILD_LDFLAGS (optional)
+	    BUILD_LIBS (optional)
+
 	To build shared libraries, specify "--with-libtool" on the
 	configure command line.
 
diff --git a/contrib/bind-9.3/bin/check/named-checkconf.8 b/contrib/bind-9.3/bin/check/named-checkconf.8
index 68b745aed2..7d0633582d 100644
--- a/contrib/bind-9.3/bin/check/named-checkconf.8
+++ b/contrib/bind-9.3/bin/check/named-checkconf.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.12.7 2005/10/13 02:33:41 marka Exp $
+.\" $Id: named-checkconf.8,v 1.11.12.8 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 14, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,24 +39,24 @@ named\-checkconf \- named configuration file syntax checking tool
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkconf\fR
 program and exit.
-.TP
+.TP 3n
 \-z
 Perform a check load the master zonefiles found in
 \fInamed.conf\fR.
-.TP
+.TP 3n
 \-j
 When loading a zonefile read the journal if it exists.
-.TP
+.TP 3n
 filename
 The name of the configuration file to be checked. If not specified, it defaults to
 \fI/etc/named.conf\fR.
@@ -68,3 +71,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/check/named-checkconf.c b/contrib/bind-9.3/bin/check/named-checkconf.c
index e7f91386ff..f50461d792 100644
--- a/contrib/bind-9.3/bin/check/named-checkconf.c
+++ b/contrib/bind-9.3/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.12.9 2005/03/03 06:33:38 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.12.12.11 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -60,9 +60,9 @@ usage(void) {
 }
 
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	char *directory;
+	const char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -85,18 +85,18 @@ directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
 }
 
 static isc_result_t
-configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
-	       isc_mem_t *mctx)
+configure_zone(const char *vclass, const char *view,
+	       const cfg_obj_t *zconfig, isc_mem_t *mctx)
 {
 	isc_result_t result;
 	const char *zclass;
 	const char *zname;
 	const char *zfile;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *classobj = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *classobj = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *dbobj = NULL;
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
@@ -125,12 +125,12 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
 }
 
 static isc_result_t
-configure_view(const char *vclass, const char *view, cfg_obj_t *config,
-	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx)
 {
-	cfg_listelt_t *element;
-	cfg_obj_t *voptions;
-	cfg_obj_t *zonelist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *voptions;
+	const cfg_obj_t *zonelist;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 
@@ -148,7 +148,7 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		tresult = configure_zone(vclass, view, zconfig, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
@@ -158,11 +158,11 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 
 
 static isc_result_t
-load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *classobj;
-	cfg_obj_t *views;
-	cfg_obj_t *vconfig;
+load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *classobj;
+	const cfg_obj_t *views;
+	const cfg_obj_t *vconfig;
 	const char *vclass;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
diff --git a/contrib/bind-9.3/bin/check/named-checkconf.html b/contrib/bind-9.3/bin/check/named-checkconf.html
index 14b8ff89cb..2283c51626 100644
--- a/contrib/bind-9.3/bin/check/named-checkconf.html
+++ b/contrib/bind-9.3/bin/check/named-checkconf.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkconf.html,v 1.5.2.1.4.12 2005/10/13 02:33:42 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
@@ -32,14 +32,14 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525865"></a><h2>DESCRIPTION</h2>
+<a name="id2549430"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not
 	the semantics, of a named configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525878"></a><h2>OPTIONS</h2>
+<a name="id2549443"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
@@ -69,21 +69,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525970"></a><h2>RETURN VALUES</h2>
+<a name="id2549534"></a><h2>RETURN VALUES</h2>
 <p>
         <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525982"></a><h2>SEE ALSO</h2>
+<a name="id2549547"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526006"></a><h2>AUTHOR</h2>
+<a name="id2549639"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/check/named-checkzone.8 b/contrib/bind-9.3/bin/check/named-checkzone.8
index 33402d5fe8..f50085c784 100644
--- a/contrib/bind-9.3/bin/check/named-checkzone.8
+++ b/contrib/bind-9.3/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.1.8.8 2005/10/13 02:33:41 marka Exp $
+.\" $Id: named-checkzone.8,v 1.11.2.1.8.11 2006/10/05 02:50:17 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 13, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -40,61 +43,61 @@ does when loading a zone. This makes
 \fBnamed\-checkzone\fR
 useful for checking zone files before configuring them into a name server.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-d
 Enable debugging.
-.TP
+.TP 3n
 \-q
 Quiet mode \- exit code only.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkzone\fR
 program and exit.
-.TP
+.TP 3n
 \-j
 When loading the zone file read the journal if it exists.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specify the class of the zone. If not specified "IN" is assumed.
-.TP
+.TP 3n
 \-k \fImode\fR
 Perform
-\fB"check\-name"\fR
+\fB"check\-names"\fR
 checks with the specified failure mode. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-n \fImode\fR
 Specify whether NS records should be checked to see if they are addresses. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-o \fIfilename\fR
 Write zone output to
 \fIfilename\fR.
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
+.TP 3n
 \-w \fIdirectory\fR
 chdir to
 \fIdirectory\fR
 so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
 \fInamed.conf\fR.
-.TP
+.TP 3n
 \-D
 Dump zone file in canonical format.
-.TP
+.TP 3n
 zonename
 The domain name of the zone being checked.
-.TP
+.TP 3n
 filename
 The name of the zone file.
 .SH "RETURN VALUES"
@@ -109,3 +112,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/check/named-checkzone.html b/contrib/bind-9.3/bin/check/named-checkzone.html
index cf544c9472..8f5195a6d8 100644
--- a/contrib/bind-9.3/bin/check/named-checkzone.html
+++ b/contrib/bind-9.3/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.5.2.2.4.13 2005/10/13 02:33:42 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.5.2.2.4.17 2006/10/05 02:50:17 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-checkzone</span> &#8212; zone file validity checking tool</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525922"></a><h2>DESCRIPTION</h2>
+<a name="id2549490"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of
 	a zone file.  It performs the same checks as <span><strong class="command">named</strong></span>
@@ -42,7 +42,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525942"></a><h2>OPTIONS</h2>
+<a name="id2549510"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -67,7 +67,7 @@
 	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
-	      Perform <span><strong class="command">"check-name"</strong></span> checks with the specified failure mode.
+	      Perform <span><strong class="command">"check-names"</strong></span> checks with the specified failure mode.
 	      Possible modes are <span><strong class="command">"fail"</strong></span>,
 	      <span><strong class="command">"warn"</strong></span> (default) and
 	      <span><strong class="command">"ignore"</strong></span>.
@@ -111,14 +111,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526187"></a><h2>RETURN VALUES</h2>
+<a name="id2549824"></a><h2>RETURN VALUES</h2>
 <p>
         <span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526200"></a><h2>SEE ALSO</h2>
+<a name="id2549836"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -126,7 +126,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526227"></a><h2>AUTHOR</h2>
+<a name="id2549863"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/dig/dig.1 b/contrib/bind-9.3/bin/dig/dig.1
index 7031217dd2..735f31c2a5 100644
--- a/contrib/bind-9.3/bin/dig/dig.1
+++ b/contrib/bind-9.3/bin/dig/dig.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.14.2.4.2.10 2005/10/13 02:33:42 marka Exp $
+.\" $Id: dig.1,v 1.14.2.4.2.11 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dig
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -68,12 +71,14 @@ A typical invocation of
 \fBdig\fR
 looks like:
 .sp
+.RS 3n
 .nf
  dig @server name type 
 .fi
+.RE
 .sp
 where:
-.TP
+.TP 3n
 \fBserver\fR
 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
 \fIserver\fR
@@ -86,10 +91,10 @@ argument is provided,
 consults
 \fI/etc/resolv.conf\fR
 and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP
+.TP 3n
 \fBname\fR
 is the name of the resource record that is to be looked up.
-.TP
+.TP 3n
 \fBtype\fR
 indicates what type of query is required \(em ANY, A, MX, SIG, etc.
 \fItype\fR
@@ -197,18 +202,18 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
 \fB+keyword=value\fR. The query options are:
-.TP
+.TP 3n
 \fB+[no]tcp\fR
 Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP
+.TP 3n
 \fB+[no]vc\fR
 Use [do not use] TCP when querying name servers. This alternate syntax to
 \fI+[no]tcp\fR
 is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP
+.TP 3n
 \fB+[no]ignore\fR
 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP
+.TP 3n
 \fB+domain=somename\fR
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
@@ -217,35 +222,35 @@ directive in
 \fI/etc/resolv.conf\fR, and enable search list processing as if the
 \fI+search\fR
 option were given.
-.TP
+.TP 3n
 \fB+[no]search\fR
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
-.TP
+.TP 3n
 \fB+[no]defname\fR
 Deprecated, treated as a synonym for
 \fI+[no]search\fR
-.TP
+.TP 3n
 \fB+[no]aaonly\fR
 Sets the "aa" flag in the query.
-.TP
+.TP 3n
 \fB+[no]aaflag\fR
 A synonym for
 \fI+[no]aaonly\fR.
-.TP
+.TP 3n
 \fB+[no]adflag\fR
 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP
+.TP 3n
 \fB+[no]cdflag\fR
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP
+.TP 3n
 \fB+[no]cl\fR
 Display [do not display] the CLASS when printing the record.
-.TP
+.TP 3n
 \fB+[no]ttlid\fR
 Display [do not display] the TTL when printing the record.
-.TP
+.TP 3n
 \fB+[no]recurse\fR
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
 \fBdig\fR
@@ -254,74 +259,74 @@ normally sends recursive queries. Recursion is automatically disabled when the
 or
 \fI+trace\fR
 query options are used.
-.TP
+.TP 3n
 \fB+[no]nssearch\fR
 When this option is set,
 \fBdig\fR
 attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP
+.TP 3n
 \fB+[no]trace\fR
 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP
+.TP 3n
 \fB+[no]cmd\fR
 toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
 and the query options that have been applied. This comment is printed by default.
-.TP
+.TP 3n
 \fB+[no]short\fR
 Provide a terse answer. The default is to print the answer in a verbose form.
-.TP
+.TP 3n
 \fB+[no]identify\fR
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
 option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP
+.TP 3n
 \fB+[no]comments\fR
 Toggle the display of comment lines in the output. The default is to print comments.
-.TP
+.TP 3n
 \fB+[no]stats\fR
 This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP
+.TP 3n
 \fB+[no]qr\fR
 Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP
+.TP 3n
 \fB+[no]question\fR
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP
+.TP 3n
 \fB+[no]answer\fR
 Display [do not display] the answer section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]authority\fR
 Display [do not display] the authority section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]additional\fR
 Display [do not display] the additional section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]all\fR
 Set or clear all display flags.
-.TP
+.TP 3n
 \fB+time=T\fR
 Sets the timeout for a query to
 \fIT\fR
 seconds. The default time out is 5 seconds. An attempt to set
 \fIT\fR
 to less than 1 will result in a query timeout of 1 second being applied.
-.TP
+.TP 3n
 \fB+tries=T\fR
 Sets the number of times to try UDP queries to server to
 \fIT\fR
 instead of the default, 3. If
 \fIT\fR
 is less than or equal to zero, the number of tries is silently rounded up to 1.
-.TP
+.TP 3n
 \fB+retry=T\fR
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
 instead of the default, 2. Unlike
 \fI+tries\fR, this does not include the initial query.
-.TP
+.TP 3n
 \fB+ndots=D\fR
 Set the number of dots that have to appear in
 \fIname\fR
@@ -334,29 +339,29 @@ or
 \fBdomain\fR
 directive in
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \fB+bufsize=B\fR
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
 bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.TP
+.TP 3n
 \fB+[no]multiline\fR
 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
 output.
-.TP
+.TP 3n
 \fB+[no]fail\fR
 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP
+.TP 3n
 \fB+[no]besteffort\fR
 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP
+.TP 3n
 \fB+[no]dnssec\fR
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.TP
+.TP 3n
 \fB+[no]sigchase\fR
 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
+.TP 3n
 \fB+trusted\-key=####\fR
 Specifies a file containing trusted keys to be used with
 \fB+sigchase\fR. Each DNSKEY record must be on its own line.
@@ -370,7 +375,7 @@ then
 in the current directory.
 .sp
 Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
+.TP 3n
 \fB+[no]topdown\fR
 When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
 .SH "MULTIPLE QUERIES"
@@ -389,9 +394,11 @@ A global set of query options, which should be applied to all queries, can also
 \fB+[no]cmd\fR
 option) can be overridden by a query\-specific set of query options. For example:
 .sp
+.RS 3n
 .nf
 dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
+.RE
 .sp
 shows how
 \fBdig\fR
@@ -421,3 +428,5 @@ RFC1035.
 .SH "BUGS "
 .PP
 There are probably too many query options.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/dig/dig.c b/contrib/bind-9.3/bin/dig/dig.c
index 52df660868..619e029806 100644
--- a/contrib/bind-9.3/bin/dig/dig.c
+++ b/contrib/bind-9.3/bin/dig/dig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.157.2.13.2.29 2005/10/14 01:38:40 marka Exp $ */
+/* $Id: dig.c,v 1.157.2.13.2.31 2006/07/22 23:52:57 marka Exp $ */
 
 #include <config.h>
 #include <stdlib.h>
@@ -1437,7 +1437,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			 * Anything which isn't an option
 			 */
 			if (open_type_class) {
-				if (strncmp(rv[0], "ixfr=", 5) == 0) {
+				if (strncasecmp(rv[0], "ixfr=", 5) == 0) {
 					rdtype = dns_rdatatype_ixfr;
 					result = ISC_R_SUCCESS;
 				} else {
diff --git a/contrib/bind-9.3/bin/dig/dig.html b/contrib/bind-9.3/bin/dig/dig.html
index 3425fb3d21..06771b3a1c 100644
--- a/contrib/bind-9.3/bin/dig/dig.html
+++ b/contrib/bind-9.3/bin/dig/dig.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.6.2.4.2.13 2005/10/13 02:33:43 marka Exp $ -->
+<!-- $Id: dig.html,v 1.6.2.4.2.15 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>dig &#8212; DNS lookup utility</p>
@@ -34,7 +34,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525976"></a><h2>DESCRIPTION</h2>
+<a name="id2549541"></a><h2>DESCRIPTION</h2>
 <p>
 <span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool
 for interrogating DNS name servers.  It performs DNS lookups and
@@ -69,7 +69,7 @@ are applied before the command line arguments.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526035"></a><h2>SIMPLE USAGE</h2>
+<a name="id2549600"></a><h2>SIMPLE USAGE</h2>
 <p>
 A typical invocation of <span><strong class="command">dig</strong></span> looks like:
 </p>
@@ -107,7 +107,7 @@ ANY, A, MX, SIG, etc.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526114"></a><h2>OPTIONS</h2>
+<a name="id2549747"></a><h2>OPTIONS</h2>
 <p>
 The <code class="option">-b</code> option sets the source IP address of the query
 to <em class="parameter"><code>address</code></em>.  This must be a valid address on
@@ -188,7 +188,7 @@ being used.  In BIND, this is done by providing appropriate
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526365"></a><h2>QUERY OPTIONS</h2>
+<a name="id2549998"></a><h2>QUERY OPTIONS</h2>
 <p>
 <span><strong class="command">dig</strong></span> provides a number of query options which affect
 the way in which lookups are made and the results displayed.  Some of
@@ -446,7 +446,7 @@ Requires dig be compiled with -DDIG_SIGCHASE.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527033"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2550666"></a><h2>MULTIPLE QUERIES</h2>
 <p>
 The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports
 specifying multiple queries on the command line (in addition to
@@ -487,7 +487,7 @@ will not print the initial query when it looks up the NS records for
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527092"></a><h2>FILES</h2>
+<a name="id2550725"></a><h2>FILES</h2>
 <p>
 <code class="filename">/etc/resolv.conf</code>
 </p>
@@ -496,7 +496,7 @@ will not print the initial query when it looks up the NS records for
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527111"></a><h2>SEE ALSO</h2>
+<a name="id2550744"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -505,7 +505,7 @@ will not print the initial query when it looks up the NS records for
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527149"></a><h2>BUGS </h2>
+<a name="id2550782"></a><h2>BUGS </h2>
 <p>
 There are probably too many query options. 
 </p>
diff --git a/contrib/bind-9.3/bin/dig/dighost.c b/contrib/bind-9.3/bin/dig/dighost.c
index 6129fedb6c..398711d4f1 100644
--- a/contrib/bind-9.3/bin/dig/dighost.c
+++ b/contrib/bind-9.3/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.221.2.19.2.31 2005/10/14 01:38:40 marka Exp $ */
+/* $Id: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */
 
 /*
  * Notice to programmers:  Do not use this code as an example of how to
@@ -314,6 +314,9 @@ cancel_lookup(dig_lookup_t *lookup);
 static void
 recv_done(isc_task_t *task, isc_event_t *event);
 
+static void
+send_udp(dig_query_t *query);
+
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event);
 
@@ -945,9 +948,8 @@ setup_system(void) {
 	if (lwresult != LWRES_R_SUCCESS)
 		fatal("lwres_context_create failed");
 
-	if (isc_file_exists(RESOLV_CONF))
-		lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
-	if (lwresult != LWRES_R_SUCCESS)
+	lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
+	if (lwresult != LWRES_R_SUCCESS && lwresult != LWRES_R_NOTFOUND)
 		fatal("parse of %s failed", RESOLV_CONF);
 
 	lwconf = lwres_conf_get(lwctx);
@@ -1194,7 +1196,10 @@ clear_query(dig_query_t *query) {
 	isc_mempool_put(commctx, query->recvspace);
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_invalidate(&query->lengthbuf);
-	isc_mem_free(mctx, query);
+	if (query->waiting_senddone)
+		query->pending_free = ISC_TRUE;
+	else
+		isc_mem_free(mctx, query);
 }
 
 /*
@@ -1219,9 +1224,10 @@ try_clear_lookup(dig_lookup_t *lookup) {
 				debug("query to %s still pending", q->servname);
 				q = ISC_LIST_NEXT(q, link);
 			}
-			return (ISC_FALSE);
 		}
+		return (ISC_FALSE);
 	}
+
 	/*
 	 * At this point, we know there are no queries on the lookup,
 	 * so can make it go away also.
@@ -1254,7 +1260,6 @@ try_clear_lookup(dig_lookup_t *lookup) {
 	return (ISC_TRUE);
 }
 
-
 /*
  * If we can, start the next lookup in the queue running.
  * This assumes that the lookup on the head of the queue hasn't been
@@ -1784,9 +1789,9 @@ setup_lookup(dig_lookup_t *lookup) {
 	check_result(result, "dns_compress_init");
 
 	debug("starting to render the message");
-	isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE);
+	isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE);
 	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
-					 &lookup->sendbuf);
+					 &lookup->renderbuf);
 	check_result(result, "dns_message_renderbegin");
 	if (lookup->udpsize > 0 || lookup->dnssec) {
 		if (lookup->udpsize == 0)
@@ -1809,7 +1814,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	/*
 	 * Force TCP mode if the request is larger than 512 bytes.
 	 */
-	if (isc_buffer_usedlength(&lookup->sendbuf) > 512)
+	if (isc_buffer_usedlength(&lookup->renderbuf) > 512)
 		lookup->tcp_mode = ISC_TRUE;
 
 	lookup->pending = ISC_FALSE;
@@ -1825,6 +1830,8 @@ setup_lookup(dig_lookup_t *lookup) {
 		       query, lookup);
 		query->lookup = lookup;
 		query->waiting_connect = ISC_FALSE;
+		query->waiting_senddone = ISC_FALSE;
+		query->pending_free = ISC_FALSE;
 		query->recv_made = ISC_FALSE;
 		query->first_pass = ISC_TRUE;
 		query->first_soa_rcvd = ISC_FALSE;
@@ -1848,6 +1855,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
 		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
 		isc_buffer_init(&query->slbuf, query->slspace, 2);
+		query->sendbuf = lookup->renderbuf;
 
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
@@ -1865,18 +1873,43 @@ setup_lookup(dig_lookup_t *lookup) {
  */
 static void
 send_done(isc_task_t *_task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_buffer_t *b = NULL;
+	dig_query_t *query, *next;
+	dig_lookup_t *l;
+
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	UNUSED(_task);
 
 	LOCK_LOOKUP;
 
-	isc_event_free(&event);
-
 	debug("send_done()");
 	sendcount--;
 	debug("sendcount=%d", sendcount);
 	INSIST(sendcount >= 0);
+
+	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
+	      b != NULL;
+	      b = ISC_LIST_HEAD(sevent->bufferlist)) 
+		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
+	query = event->ev_arg;
+	query->waiting_senddone = ISC_FALSE;
+	l = query->lookup;
+
+	if (l->ns_search_only && !l->trace_root) {
+		debug("sending next, since searching");
+		next = ISC_LIST_NEXT(query, link);
+		if (next != NULL)
+			send_udp(next);
+	}
+
+	isc_event_free(&event);
+
+	if (query->pending_free)
+		isc_mem_free(mctx, query);
+
 	check_if_done();
 	UNLOCK_LOOKUP;
 }
@@ -2020,7 +2053,6 @@ send_tcp_connect(dig_query_t *query) {
 static void
 send_udp(dig_query_t *query) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *next;
 	isc_result_t result;
 
 	debug("send_udp(%p)", query);
@@ -2062,27 +2094,16 @@ send_udp(dig_query_t *query) {
 		debug("recvcount=%d", recvcount);
 	}
 	ISC_LIST_INIT(query->sendlist);
-	ISC_LINK_INIT(&l->sendbuf, link);
-	ISC_LIST_ENQUEUE(query->sendlist, &l->sendbuf,
-			 link);
+	ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
 	debug("sending a request");
 	TIME_NOW(&query->time_sent);
 	INSIST(query->sock != NULL);
+	query->waiting_senddone = ISC_TRUE;
 	result = isc_socket_sendtov(query->sock, &query->sendlist,
 				    global_task, send_done, query,
 				    &query->sockaddr, NULL);
 	check_result(result, "isc_socket_sendtov");
 	sendcount++;
-	/*
-	 * If we're at the endgame of a nameserver search, we need to
-	 * immediately bring up all the queries.  Do it here.
-	 */
-	if (l->ns_search_only && !l->trace_root) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL)
-			send_udp(next);
-	}
 }
 
 /*
@@ -2171,6 +2192,10 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	recvcount--;
 	INSIST(recvcount >= 0);
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b ==  &query->lengthbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	if (sevent->result == ISC_R_CANCELED) {
 		isc_event_free(&event);
 		l = query->lookup;
@@ -2196,8 +2221,6 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
 	length = isc_buffer_getuint16(b);
 	if (length == 0) {
 		isc_event_free(&event);
@@ -2254,16 +2277,12 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 
 	isc_buffer_clear(&query->slbuf);
 	isc_buffer_clear(&query->lengthbuf);
-	isc_buffer_putuint16(&query->slbuf,
-			     (isc_uint16_t) query->lookup->sendbuf.used);
+	isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used);
 	ISC_LIST_INIT(query->sendlist);
 	ISC_LINK_INIT(&query->slbuf, link);
 	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
-	if (include_question) {
-		ISC_LINK_INIT(&query->lookup->sendbuf, link);
-		ISC_LIST_ENQUEUE(query->sendlist, &query->lookup->sendbuf,
-				 link);
-	}
+	if (include_question)
+		ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
 	ISC_LINK_INIT(&query->lengthbuf, link);
 	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
 
@@ -2275,6 +2294,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 	if (!query->first_soa_rcvd) {
 		debug("sending a request in launch_next_query");
 		TIME_NOW(&query->time_sent);
+		query->waiting_senddone = ISC_TRUE;
 		result = isc_socket_sendv(query->sock, &query->sendlist,
 					  global_task, send_done, query);
 		check_result(result, "isc_socket_sendv");
@@ -2558,6 +2578,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b == &query->recvbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+
 	if ((l->tcp_mode) && (l->timer != NULL))
 		isc_timer_touch(l->timer);
 	if ((!l->pending && !l->ns_search_only) || cancel_now) {
@@ -2591,9 +2615,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
 	if (!l->tcp_mode &&
 	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
 		char buf1[ISC_SOCKADDR_FORMATSIZE];
diff --git a/contrib/bind-9.3/bin/dig/host.1 b/contrib/bind-9.3/bin/dig/host.1
index cf44a5c3f3..3a0432cc1d 100644
--- a/contrib/bind-9.3/bin/dig/host.1
+++ b/contrib/bind-9.3/bin/dig/host.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.11.2.1.4.7 2005/10/13 02:33:43 marka Exp $
+.\" $Id: host.1,v 1.11.2.1.4.8 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: host
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -183,3 +186,5 @@ will effectively wait forever for a reply. The time to wait for a response will
 .PP
 \fBdig\fR(1),
 \fBnamed\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/dig/host.c b/contrib/bind-9.3/bin/dig/host.c
index 468d53bf94..7d8ce9b80b 100644
--- a/contrib/bind-9.3/bin/dig/host.c
+++ b/contrib/bind-9.3/bin/dig/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.76.2.5.2.13 2005/07/04 03:29:45 marka Exp $ */
+/* $Id: host.c,v 1.76.2.5.2.16 2006/05/23 04:43:47 marka Exp $ */
 
 #include <config.h>
 #include <limits.h>
@@ -37,6 +37,7 @@
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatatype.h>
+#include <dns/rdatastruct.h>
 
 #include <dig/dig.h>
 
@@ -45,6 +46,7 @@ static isc_boolean_t default_lookups = ISC_TRUE;
 static int seen_error = -1;
 static isc_boolean_t list_addresses = ISC_TRUE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
+static isc_boolean_t printed_server = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",
@@ -351,6 +353,32 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
 	return (ISC_R_SUCCESS);
 }
 
+static void
+chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset;
+	dns_rdata_cname_t cname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
+
+ 	while (i-- > 0) {
+		rdataset = NULL;
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS)
+			return;
+		result = dns_rdataset_first(rdataset);
+		check_result(result, "dns_rdataset_first");
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		dns_name_copy(&cname.cname, qname, NULL);
+		dns_rdata_freestruct(&cname);
+	}
+}
+
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_boolean_t did_flag = ISC_FALSE;
@@ -367,7 +395,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	 */
 	force_error = (seen_error == 1) ? 1 : 0;
 	seen_error = 1;
-	if (listed_server) {
+	if (listed_server && !printed_server) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
 		printf("Using domain server:\n");
@@ -376,6 +404,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				    sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
 		printf("Aliases: \n\n");
+		printed_server = ISC_TRUE;
 	}
 
 	if (msg->rcode != 0) {
@@ -389,10 +418,15 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dig_lookup_t *lookup;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
 
 		/* Add AAAA and MX lookups. */
-
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		dns_name_copy(query->lookup->name, name, NULL);
+		chase_cnamechain(msg, name);
+		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strncpy(lookup->textname, namestr,
diff --git a/contrib/bind-9.3/bin/dig/host.html b/contrib/bind-9.3/bin/dig/host.html
index 7670868cee..4c16215104 100644
--- a/contrib/bind-9.3/bin/dig/host.html
+++ b/contrib/bind-9.3/bin/dig/host.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.4.2.1.4.12 2005/10/13 02:33:44 marka Exp $ -->
+<!-- $Id: host.html,v 1.4.2.1.4.14 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>host &#8212; DNS lookup utility</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525901"></a><h2>DESCRIPTION</h2>
+<a name="id2549466"></a><h2>DESCRIPTION</h2>
 <p>
 <span><strong class="command">host</strong></span>
 is a simple utility for performing DNS lookups.
@@ -155,13 +155,13 @@ value for an integer quantity.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526241"></a><h2>FILES</h2>
+<a name="id2549874"></a><h2>FILES</h2>
 <p>
 <code class="filename">/etc/resolv.conf</code>
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526253"></a><h2>SEE ALSO</h2>
+<a name="id2549886"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
diff --git a/contrib/bind-9.3/bin/dig/include/dig/dig.h b/contrib/bind-9.3/bin/dig/include/dig/dig.h
index 431d109cf0..91dae5cf2e 100644
--- a/contrib/bind-9.3/bin/dig/include/dig/dig.h
+++ b/contrib/bind-9.3/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.71.2.6.2.11 2005/07/04 03:29:45 marka Exp $ */
+/* $Id: dig.h,v 1.71.2.6.2.14 2006/12/07 01:26:33 marka Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -146,7 +146,7 @@ isc_boolean_t	sigchase;
 	char onamespace[BUFSIZE];
 	isc_buffer_t namebuf;
 	isc_buffer_t onamebuf;
-	isc_buffer_t sendbuf;
+	isc_buffer_t renderbuf;
 	char *sendspace;
 	dns_name_t *name;
 	isc_timer_t *timer;
@@ -173,6 +173,8 @@ isc_boolean_t	sigchase;
 struct dig_query {
 	dig_lookup_t *lookup;
 	isc_boolean_t waiting_connect,
+		pending_free,
+		waiting_senddone,
 		first_pass,
 		first_soa_rcvd,
 		second_rr_rcvd,
@@ -198,6 +200,7 @@ struct dig_query {
 	ISC_LINK(dig_query_t) link;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
+	isc_buffer_t sendbuf;
 };
 
 struct dig_server {
diff --git a/contrib/bind-9.3/bin/dig/nslookup.1 b/contrib/bind-9.3/bin/dig/nslookup.1
index 3de04ca4f9..7b1d4d2f7f 100644
--- a/contrib/bind-9.3/bin/dig/nslookup.1
+++ b/contrib/bind-9.3/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,14 +12,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.6.5 2005/10/13 02:33:43 marka Exp $
+.\" $Id: nslookup.1,v 1.1.6.7 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -39,26 +42,28 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 3
+.TP 3n
 1.
 when no arguments are given (the default name server will be used)
-.TP
+.TP 3n
 2.
 when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
+.sp
+.RE
 .PP
 Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
 .PP
 Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.IP .sp .nf nslookup \-query=hinfo \-timeout=10 .fi
+.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
 .SH "INTERACTIVE COMMANDS"
-.TP
+.TP 3n
 host [server]
 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
 .sp
 To look up a host not in the current domain, append a period to the name.
-.TP
+.TP 3n
 \fBserver\fR \fIdomain\fR
-.TP
+.TP 3n
 \fBlserver\fR \fIdomain\fR
 Change the default server to
 \fIdomain\fR;
@@ -67,107 +72,107 @@ uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
 uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP
+.TP 3n
 \fBroot\fR
 not implemented
-.TP
+.TP 3n
 \fBfinger\fR
 not implemented
-.TP
+.TP 3n
 \fBls\fR
 not implemented
-.TP
+.TP 3n
 \fBview\fR
 not implemented
-.TP
+.TP 3n
 \fBhelp\fR
 not implemented
-.TP
+.TP 3n
 \fB?\fR
 not implemented
-.TP
+.TP 3n
 \fBexit\fR
 Exits the program.
-.TP
+.TP 3n
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
 This command is used to change state information that affects the lookups. Valid keywords are:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBall\fR
 Prints the current values of the frequently used options to
 \fBset\fR. Information about the current default server and host is also printed.
-.TP
+.TP 3n
 \fBclass=\fR\fIvalue\fR
 Change the query class to one of:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBIN\fR
 the Internet class
-.TP
+.TP 3n
 \fBCH\fR
 the Chaos class
-.TP
+.TP 3n
 \fBHS\fR
 the Hesiod class
-.TP
+.TP 3n
 \fBANY\fR
 wildcard
 .RE
-.IP
+.IP "" 3n
 The class specifies the protocol group of the information.
 .sp
 (Default = IN; abbreviation = cl)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBdebug\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBd2\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nod2)
-.TP
+.TP 3n
 \fBdomain=\fR\fIname\fR
 Sets the search list to
 \fIname\fR.
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBsearch\fR
 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
 .sp
 (Default = search)
-.TP
+.TP 3n
 \fBport=\fR\fIvalue\fR
 Change the default TCP/UDP name server port to
 \fIvalue\fR.
 .sp
 (Default = 53; abbreviation = po)
-.TP
+.TP 3n
 \fBquerytype=\fR\fIvalue\fR
-.TP
+.TP 3n
 \fBtype=\fR\fIvalue\fR
-Change the top of the information query.
+Change the type of the information query.
 .sp
 (Default = A; abbreviations = q, ty)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBrecurse\fR
 Tell the name server to query other servers if it does not have the information.
 .sp
 (Default = recurse; abbreviation = [no]rec)
-.TP
+.TP 3n
 \fBretry=\fR\fInumber\fR
 Set the number of retries to number.
-.TP
+.TP 3n
 \fBtimeout=\fR\fInumber\fR
 Change the initial timeout interval for waiting for a reply to number seconds.
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBvc\fR
 Always use a virtual circuit when sending requests to the server.
 .sp
 (Default = novc)
 .RE
-.IP
+.IP "" 3n
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -179,3 +184,5 @@ Always use a virtual circuit when sending requests to the server.
 .SH "AUTHOR"
 .PP
 Andrew Cherenson
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/dig/nslookup.c b/contrib/bind-9.3/bin/dig/nslookup.c
index ab9ed68764..5ae64d0d59 100644
--- a/contrib/bind-9.3/bin/dig/nslookup.c
+++ b/contrib/bind-9.3/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.4.2.10 2005/07/12 05:47:42 marka Exp $ */
+/* $Id: nslookup.c,v 1.90.2.4.2.12 2006/06/09 23:50:53 marka Exp $ */
 
 #include <config.h>
 
@@ -708,6 +708,7 @@ get_next_command(void) {
 	if (buf == NULL)
 		fatal("memory allocation failure");
 	fputs("> ", stderr);
+	fflush(stderr);
 	isc_app_block();
 	ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
diff --git a/contrib/bind-9.3/bin/dig/nslookup.html b/contrib/bind-9.3/bin/dig/nslookup.html
index fc2e4e80d7..e6801e9512 100644
--- a/contrib/bind-9.3/bin/dig/nslookup.html
+++ b/contrib/bind-9.3/bin/dig/nslookup.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nslookup.html,v 1.1.6.9 2005/10/13 02:33:44 marka Exp $ -->
+<!-- $Id: nslookup.html,v 1.1.6.12 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463728"></a><div class="titlepage"></div>
+<a name="id2482694"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>nslookup &#8212; query Internet name servers interactively</p>
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525973"></a><h2>DESCRIPTION</h2>
+<a name="id2549404"></a><h2>DESCRIPTION</h2>
 <p>
 <span><strong class="command">Nslookup</strong></span>
 is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
@@ -43,7 +43,7 @@ domain.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525990"></a><h2>ARGUMENTS</h2>
+<a name="id2549421"></a><h2>ARGUMENTS</h2>
 <p>
 Interactive mode is entered in the following cases:
 </p>
@@ -75,7 +75,7 @@ nslookup -query=hinfo  -timeout=10
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526033"></a><h2>INTERACTIVE COMMANDS</h2>
+<a name="id2549464"></a><h2>INTERACTIVE COMMANDS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">host [<span class="optional">server</span>]</span></dt>
 <dd>
@@ -200,7 +200,7 @@ the lookups.  Valid keywords are:
 <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
 <p>
-  Change the top of the information query.
+  Change the type of the information query.
   </p>
 <p>
   (Default = A; abbreviations = q, ty)
@@ -241,13 +241,13 @@ the lookups.  Valid keywords are:
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526490"></a><h2>FILES</h2>
+<a name="id2549990"></a><h2>FILES</h2>
 <p>
 <code class="filename">/etc/resolv.conf</code>
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526503"></a><h2>SEE ALSO</h2>
+<a name="id2550003"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
 <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
@@ -255,7 +255,7 @@ the lookups.  Valid keywords are:
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526538"></a><h2>Author</h2>
+<a name="id2550038"></a><h2>Author</h2>
 <p>
 Andrew Cherenson
 </p>
diff --git a/contrib/bind-9.3/bin/dnssec/dnssec-keygen.8 b/contrib/bind-9.3/bin/dnssec/dnssec-keygen.8
index 0f8f003de4..35bb0efda5 100644
--- a/contrib/bind-9.3/bin/dnssec/dnssec-keygen.8
+++ b/contrib/bind-9.3/bin/dnssec/dnssec-keygen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.12.9 2005/10/13 02:33:45 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.19.12.10 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,7 +39,7 @@ dnssec\-keygen \- DNSSEC key generation tool
 \fBdnssec\-keygen\fR
 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a \fIalgorithm\fR
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
@@ -45,37 +48,37 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5.
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
 Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.TP
+.TP 3n
 \-n \fInametype\fR
 Specifies the owner type of the key. The value of
 \fBnametype\fR
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.TP
+.TP 3n
 \-e
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.TP
+.TP 3n
 \-f \fIflag\fR
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
-.TP
+.TP 3n
 \-g \fIgenerator\fR
 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-keygen\fR.
-.TP
+.TP 3n
 \-k
 Generate KEY records rather than DNSKEY records.
-.TP
+.TP 3n
 \-p \fIprotocol\fR
 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -84,15 +87,15 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIstrength\fR
 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.TP
+.TP 3n
 \-t \fItype\fR
 Indicates the use of the key.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
 .SH "GENERATED KEYS"
@@ -102,18 +105,20 @@ When
 completes successfully, it prints a string of the form
 \fIKnnnn.+aaa+iiiii\fR
 to the standard output. This is an identification string for the key it has generated.
-.TP 3
+.TP 3n
 \(bu
 \fInnnn\fR
 is the key name.
-.TP
+.TP 3n
 \(bu
 \fIaaa\fR
 is the numeric representation of the algorithm.
-.TP
+.TP 3n
 \(bu
 \fIiiiii\fR
 is the key identifier (or footprint).
+.sp
+.RE
 .PP
 \fBdnssec\-keygen\fR
 creates two file, with names based on the printed string.
@@ -162,3 +167,5 @@ RFC 2539.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/dnssec/dnssec-keygen.html b/contrib/bind-9.3/bin/dnssec/dnssec-keygen.html
index 00271faadf..7a15099bae 100644
--- a/contrib/bind-9.3/bin/dnssec/dnssec-keygen.html
+++ b/contrib/bind-9.3/bin/dnssec/dnssec-keygen.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.13 2005/10/13 02:33:45 marka Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525956"></a><h2>DESCRIPTION</h2>
+<a name="id2549521"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC
 	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
@@ -41,7 +41,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525969"></a><h2>OPTIONS</h2>
+<a name="id2549533"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -144,7 +144,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526306"></a><h2>GENERATED KEYS</h2>
+<a name="id2549939"></a><h2>GENERATED KEYS</h2>
 <p>
         When <span><strong class="command">dnssec-keygen</strong></span> completes successfully,
 	it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
@@ -187,7 +187,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526394"></a><h2>EXAMPLE</h2>
+<a name="id2550027"></a><h2>EXAMPLE</h2>
 <p>
         To generate a 768-bit DSA key for the domain
 	<strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526440"></a><h2>SEE ALSO</h2>
+<a name="id2550073"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526473"></a><h2>AUTHOR</h2>
+<a name="id2550106"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.8 b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.8
index 63ffadba64..734eca6f80 100644
--- a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.8
+++ b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.10 2005/10/13 02:33:45 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.11 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-signzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -38,49 +41,49 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version
 \fIkeyset\fR
 file for each child zone.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Verify all generated signatures.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specifies the DNS class of the zone.
-.TP
+.TP 3n
 \-k \fIkey\fR
 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.TP
+.TP 3n
 \-l \fIdomain\fR
 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.TP
+.TP 3n
 \-d \fIdirectory\fR
 Look for
 \fIkeyset\fR
 files in
 \fBdirectory\fR
 as the directory
-.TP
+.TP 3n
 \-g
 Generate DS records for child zones from keyset files. Existing DS records will be removed.
-.TP
+.TP 3n
 \-s \fIstart\-time\fR
 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.TP
+.TP 3n
 \-e \fIend\-time\fR
 Specify the date and time when the generated RRSIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP
+.TP 3n
 \-f \fIoutput\-file\fR
 The name of the output file containing the signed zone. The default is to append
 \fI.signed\fR
 to the input file.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-signzone\fR.
-.TP
+.TP 3n
 \-i \fIinterval\fR
 When a previously signed zone is passed as input, records may be resigned. The
 \fBinterval\fR
@@ -93,16 +96,16 @@ or
 are specified,
 \fBdnssec\-signzone\fR
 generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.TP
+.TP 3n
 \-n \fIncpus\fR
 Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.TP
+.TP 3n
 \-o \fIorigin\fR
 The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.TP
+.TP 3n
 \-p
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -111,19 +114,19 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-t
 Print statistics at completion.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
-.TP
+.TP 3n
 \-z
 Ignore KSK flag on key when determining what to sign.
-.TP
+.TP 3n
 zonefile
 The file containing the zone to be signed.
-.TP
+.TP 3n
 key
 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
 .SH "EXAMPLE"
@@ -155,3 +158,5 @@ RFC 2535.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.c b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.c
index 93caf497e2..4ac840df06 100644
--- a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.c
+++ b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.139.2.2.4.21 2005/10/14 01:38:41 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.139.2.2.4.23 2006/01/04 23:50:19 marka Exp $ */
 
 #include <config.h>
 
@@ -1292,10 +1292,6 @@ nsecify(void) {
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			if (result != ISC_R_SUCCESS) {
-				dns_db_detachnode(gdb, &nextnode);
-				break;
-			}
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
diff --git a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.html b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.html
index 5cc8c0747c..bd926312e8 100644
--- a/contrib/bind-9.3/bin/dnssec/dnssec-signzone.html
+++ b/contrib/bind-9.3/bin/dnssec/dnssec-signzone.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.14 2005/10/13 02:33:46 marka Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.16 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525979"></a><h2>DESCRIPTION</h2>
+<a name="id2549544"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">dnssec-signzone</strong></span> signs a zone.  It generates
 	NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525995"></a><h2>OPTIONS</h2>
+<a name="id2549560"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -179,7 +179,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526435"></a><h2>EXAMPLE</h2>
+<a name="id2550068"></a><h2>EXAMPLE</h2>
 <p>
         The following command signs the <strong class="userinput"><code>example.com</code></strong>
 	zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
@@ -203,7 +203,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526485"></a><h2>SEE ALSO</h2>
+<a name="id2550118"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -211,7 +211,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526512"></a><h2>AUTHOR</h2>
+<a name="id2550145"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/named/aclconf.c b/contrib/bind-9.3/bin/named/aclconf.c
index 8b6d0c767d..102a891033 100644
--- a/contrib/bind-9.3/bin/named/aclconf.c
+++ b/contrib/bind-9.3/bin/named/aclconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.27.12.5 2005/03/17 03:58:25 marka Exp $ */
+/* $Id: aclconf.c,v 1.27.12.7 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -54,10 +54,10 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
  * Find the definition of the named acl whose name is "name".
  */
 static isc_result_t
-get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
-	cfg_obj_t *acls = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
 	
 	result = cfg_map_get(cctx, "acl", &acls);
 	if (result != ISC_R_SUCCESS)
@@ -65,7 +65,7 @@ get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(acls);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *acl = cfg_listelt_value(elt);
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
 		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 		if (strcasecmp(aclname, name) == 0) {
 			*ret = cfg_tuple_get(acl, "value");
@@ -76,15 +76,15 @@ get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 }
 
 static isc_result_t
-convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx, isc_mem_t *mctx,
 		  dns_acl_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *cacl = NULL;
+	const cfg_obj_t *cacl = NULL;
 	dns_acl_t *dacl;
 	dns_acl_t loop;
-	char *aclname = cfg_obj_asstring(nameobj);
+	const char *aclname = cfg_obj_asstring(nameobj);
 
 	/* Look for an already-converted version. */
 	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
@@ -113,7 +113,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 	 */
 	memset(&loop, 0, sizeof(loop));
 	ISC_LINK_INIT(&loop, nextincache);
-	loop.name = aclname;
+	DE_CONST(aclname, loop.name);
 	loop.magic = LOOP_MAGIC;
 	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
 	result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
@@ -131,7 +131,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 }
 
 static isc_result_t
-convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
+convert_keyname(const cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 	isc_result_t result;
 	isc_buffer_t buf;
 	dns_fixedname_t fixname;
@@ -154,8 +154,8 @@ convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 }
 
 isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
+ns_acl_fromconfig(const cfg_obj_t *caml,
+		  const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target)
@@ -164,7 +164,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 	unsigned int count;
 	dns_acl_t *dacl = NULL;
 	dns_aclelement_t *de;
-	cfg_listelt_t *elt;
+	const cfg_listelt_t *elt;
 
 	REQUIRE(target != NULL && *target == NULL);
 
@@ -183,7 +183,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 	     elt != NULL;
 	     elt = cfg_list_next(elt))
 	{
-		cfg_obj_t *ce = cfg_listelt_value(elt);
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
 		if (cfg_obj_istuple(ce)) {
 			/* This must be a negated element. */
 			ce = cfg_tuple_get(ce, "value");
@@ -215,7 +215,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 				goto cleanup;
 		} else if (cfg_obj_isstring(ce)) {
 			/* ACL name */
-			char *name = cfg_obj_asstring(ce);
+			const char *name = cfg_obj_asstring(ce);
 			if (strcasecmp(name, "localhost") == 0) {
 				de->type = dns_aclelementtype_localhost;
 			} else if (strcasecmp(name, "localnets") == 0) {
diff --git a/contrib/bind-9.3/bin/named/client.c b/contrib/bind-9.3/bin/named/client.c
index baecc2345c..b0ce793b98 100644
--- a/contrib/bind-9.3/bin/named/client.c
+++ b/contrib/bind-9.3/bin/named/client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.176.2.13.4.26 2005/07/27 02:53:14 marka Exp $ */
+/* $Id: client.c,v 1.176.2.13.4.31 2006/07/22 01:09:38 marka Exp $ */
 
 #include <config.h>
 
@@ -164,6 +164,12 @@ struct ns_clientmgr {
  * Must be greater than any valid state.
  */
 
+/*
+ * Enable ns_client_dropport() by default.
+ */
+#ifndef NS_CLIENT_DROPPORT
+#define NS_CLIENT_DROPPORT 1
+#endif
 
 static void client_read(ns_client_t *client);
 static void client_accept(ns_client_t *client);
@@ -285,8 +291,17 @@ exit_check(ns_client_t *client) {
 		}
 		/*
 		 * I/O cancel is complete.  Burn down all state
-		 * related to the current request.
+		 * related to the current request.  Ensure that
+		 * the client is on the active list and not the
+		 * recursing list.
 		 */
+		LOCK(&client->manager->lock);
+		if (client->list == &client->manager->recursing) {
+			ISC_LIST_UNLINK(*client->list, client, link);
+			ISC_LIST_APPEND(client->manager->active, client, link);
+			client->list = &client->manager->active;
+		}
+		UNLOCK(&client->manager->lock);
 		ns_client_endrequest(client);
 
 		client->state = NS_CLIENTSTATE_READING;
@@ -972,6 +987,34 @@ ns_client_send(ns_client_t *client) {
 	ns_client_next(client, result);
 }
 
+#if NS_CLIENT_DROPPORT
+#define DROPPORT_NO		0
+#define DROPPORT_REQUEST	1
+#define DROPPORT_RESPONSE	2
+/*%
+ * ns_client_dropport determines if certain requests / responses
+ * should be dropped based on the port number.
+ *
+ * Returns:
+ * \li	0:	Don't drop.
+ * \li	1:	Drop request.
+ * \li	2:	Drop (error) response.
+ */
+static int
+ns_client_dropport(in_port_t port) {
+	switch (port) {
+	case 7: /* echo */
+	case 13: /* daytime */
+	case 19: /* chargen */
+	case 37: /* time */
+		return (DROPPORT_REQUEST);
+	case 464: /* kpasswd */
+		return (DROPPORT_RESPONSE);
+	}
+	return (DROPPORT_NO);
+}
+#endif
+
 void
 ns_client_error(ns_client_t *client, isc_result_t result) {
 	dns_rcode_t rcode;
@@ -984,6 +1027,28 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 	message = client->message;
 	rcode = dns_result_torcode(result);
 
+#if NS_CLIENT_DROPPORT
+	/*
+	 * Don't send FORMERR to ports on the drop port list.
+	 */
+	if (rcode == dns_rcode_formerr &&
+	    ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) !=
+	    DROPPORT_NO) {
+		char buf[64];
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, buf, sizeof(buf) - 1);
+		if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS)
+			isc_buffer_putstr(&b, "UNKNOWN RCODE");
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped error (%.*s) response: suspicious port",
+			      (int)isc_buffer_usedlength(&b), buf);
+		ns_client_next(client, ISC_R_SUCCESS);
+		return;
+	}
+#endif
+
 	/*
 	 * Message may be an in-progress reply that we had trouble
 	 * with, in which case QR will be set.  We need to clear QR before
@@ -1208,6 +1273,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 
+#if NS_CLIENT_DROPPORT
+	if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) ==
+	    DROPPORT_REQUEST) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: suspicious port");
+		ns_client_next(client, ISC_R_SUCCESS);
+		goto cleanup;
+	}
+#endif
+
 	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 		      "%s request",
@@ -1242,6 +1318,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
 			      "dropping multicast request");
 		ns_client_next(client, DNS_R_REFUSED);
+		goto cleanup;
 	}
 
 	result = dns_message_peekheader(buffer, &id, &flags);
@@ -1532,12 +1609,15 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * Decide whether recursive service is available to this client.
 	 * We do this here rather than in the query code so that we can
 	 * set the RA bit correctly on all kinds of responses, not just
-	 * responses to ordinary queries.
+	 * responses to ordinary queries.  Note if you can't query the
+	 * cache there is no point in setting RA.
 	 */
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
 	    ns_client_checkaclsilent(client, client->view->recursionacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, client->view->queryacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
@@ -2364,3 +2444,20 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	}
 	UNLOCK(&manager->lock);
 }
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) {
+
+	if (client->manager != NULL)
+		LOCK(&client->manager->lock);
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+	}
+	client->query.qname = name;
+	if (client->manager != NULL)
+		UNLOCK(&client->manager->lock);
+}
diff --git a/contrib/bind-9.3/bin/named/config.c b/contrib/bind-9.3/bin/named/config.c
index 99e5ffa7f4..7b5b99e672 100644
--- a/contrib/bind-9.3/bin/named/config.c
+++ b/contrib/bind-9.3/bin/named/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.11.2.4.8.29 2004/10/05 02:52:26 marka Exp $ */
+/* $Id: config.c,v 1.11.2.4.8.32 2006/02/28 06:32:53 marka Exp $ */
 
 #include <config.h>
 
@@ -196,7 +196,7 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
 }
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
@@ -208,11 +208,13 @@ ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
 }
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
-	cfg_listelt_t *element;
-	cfg_obj_t *checknames;
-	cfg_obj_t *type;
-	cfg_obj_t *value;
+ns_checknames_get(const cfg_obj_t **maps, const char *which,
+		  const cfg_obj_t **obj)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
 	int i;
 
 	for (i = 0;; i++) {
@@ -243,8 +245,8 @@ ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
 }
 
 int
-ns_config_listcount(cfg_obj_t *list) {
-	cfg_listelt_t *e;
+ns_config_listcount(const cfg_obj_t *list) {
+	const cfg_listelt_t *e;
 	int i = 0;
 
 	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
@@ -254,9 +256,9 @@ ns_config_listcount(cfg_obj_t *list) {
 }
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
-	char *str;
+	const char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -265,7 +267,7 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		return (ISC_R_SUCCESS);
 	}
 	str = cfg_obj_asstring(classobj);
-	r.base = str;
+	DE_CONST(str, r.base);
 	r.length = strlen(str);
 	result = dns_rdataclass_fromtext(classp, &r);
 	if (result != ISC_R_SUCCESS)
@@ -275,9 +277,9 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 }
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		   dns_rdatatype_t *typep) {
-	char *str;
+	const char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -286,7 +288,7 @@ ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		return (ISC_R_SUCCESS);
 	}
 	str = cfg_obj_asstring(typeobj);
-	r.base = str;
+	DE_CONST(str, r.base);
 	r.length = strlen(str);
 	result = dns_rdatatype_fromtext(typep, &r);
 	if (result != ISC_R_SUCCESS)
@@ -296,9 +298,9 @@ ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 }
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 	dns_zonetype_t ztype = dns_zone_none;
-	char *str;
+	const char *str;
 
 	str = cfg_obj_asstring(zonetypeobj);
 	if (strcasecmp(str, "master") == 0)
@@ -313,14 +315,14 @@ ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
 }
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
 {
 	int count, i = 0;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
 	isc_sockaddr_t *addrs;
 	in_port_t port;
 	isc_result_t result;
@@ -380,10 +382,12 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 static isc_result_t
-get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+get_masters_def(const cfg_obj_t *cctx, const char *name,
+		const cfg_obj_t **ret)
+{
 	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
 
 	result = cfg_map_get(cctx, "masters", &masters);
 	if (result != ISC_R_SUCCESS)
@@ -391,7 +395,7 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(masters);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
+		const cfg_obj_t *list;
 		const char *listname;
 
 		list = cfg_listelt_value(elt);
@@ -406,24 +410,24 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 }
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
-			  isc_uint32_t *countp)
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keysp, isc_uint32_t *countp)
 {
 	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
 	isc_uint32_t listcount = 0, l = 0, j;
 	isc_uint32_t stackcount = 0, pushed = 0;
 	isc_result_t result;
-	cfg_listelt_t *element;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	dns_name_t **keys = NULL;
-	char **lists = NULL;
+	const char **lists = NULL;
 	struct {
-		cfg_listelt_t *element;
+		const cfg_listelt_t *element;
 		in_port_t port;
 	} *stack = NULL;
 
@@ -439,13 +443,14 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 		if (val > ISC_UINT16_MAX) {
 			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
 				    "port '%u' out of range", val);
-			return (ISC_R_RANGE);
+			result = ISC_R_RANGE;
+			goto cleanup;
 		}
 		port = (in_port_t) val;
 	} else {
 		result = ns_config_getport(config, &port);
 		if (result != ISC_R_SUCCESS)
-			return (result);
+			goto cleanup;
 	}
 
 	result = ISC_R_NOMEMORY;
@@ -456,9 +461,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
-		char *keystr;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+		const char *keystr;
 		isc_buffer_t b;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
@@ -466,7 +471,7 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 		key = cfg_tuple_get(cfg_listelt_value(element), "key");
 
 		if (!cfg_obj_issockaddr(addr)) {
-			char *listname = cfg_obj_asstring(addr);
+			const char *listname = cfg_obj_asstring(addr);
 			isc_result_t tresult;
 
 			/* Grow lists? */
@@ -606,9 +611,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			if (new == NULL)
 				goto cleanup;
 			memcpy(new, addrs, newsize);
-			isc_mem_put(mctx, addrs, oldsize);
 		} else
 			new = NULL;
+		isc_mem_put(mctx, addrs, oldsize);
 		addrs = new;
 		addrcount = i;
 
@@ -619,9 +624,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			if (new == NULL)
 				goto cleanup;
 			memcpy(new, keys,  newsize);
-			isc_mem_put(mctx, keys, oldsize);
 		} else
 			new = NULL;
+		isc_mem_put(mctx, keys, oldsize);
 		keys = new;
 		keycount = i;
 	}
@@ -682,10 +687,10 @@ ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *portobj = NULL;
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *portobj = NULL;
 	isc_result_t result;
 	int i;
 
diff --git a/contrib/bind-9.3/bin/named/controlconf.c b/contrib/bind-9.3/bin/named/controlconf.c
index 5b87fb9c0a..b6bcc16620 100644
--- a/contrib/bind-9.3/bin/named/controlconf.c
+++ b/contrib/bind-9.3/bin/named/controlconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */
+/* $Id: controlconf.c,v 1.28.2.9.2.10 2006/02/28 06:32:53 marka Exp $ */
 
 #include <config.h>
 
@@ -356,6 +356,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	{
 		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
 		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
+		if (secret.rstart != NULL)
+			isc_mem_put(listener->mctx, secret.rstart,
+				    REGION_SIZE(secret));
 		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
 		if (secret.rstart == NULL)
 			goto cleanup;
@@ -371,8 +374,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 			 */
 			if (request != NULL)
 				isccc_sexpr_free(&request);
-			isc_mem_put(listener->mctx, secret.rstart,
-				    REGION_SIZE(secret));
 		} else {
 			log_invalid(&conn->ccmsg, result);
 			goto cleanup;
@@ -649,10 +650,12 @@ ns_controls_shutdown(ns_controls_t *controls) {
 }
 
 static isc_result_t
-cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
-	cfg_listelt_t *element;
+cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
+	        const cfg_obj_t **objp)
+{
+	const cfg_listelt_t *element;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -671,13 +674,13 @@ cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
 }
 
 static isc_result_t
-controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
+controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		       controlkeylist_t *keyids)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	char *newstr = NULL;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	controlkey_t *key = NULL;
 
 	for (element = cfg_list_first(keylist);
@@ -712,11 +715,11 @@ controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
 }
 
 static void
-register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
+register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
 {
 	controlkey_t *keyid, *next;
-	cfg_obj_t *keydef;
+	const cfg_obj_t *keydef;
 	char secret[1024];
 	isc_buffer_t b;
 	isc_result_t result;
@@ -736,10 +739,10 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			ISC_LIST_UNLINK(*keyids, keyid, link);
 			free_controlkey(keyid, mctx);
 		} else {
-			cfg_obj_t *algobj = NULL;
-			cfg_obj_t *secretobj = NULL;
-			char *algstr = NULL;
-			char *secretstr = NULL;
+			const cfg_obj_t *algobj = NULL;
+			const cfg_obj_t *secretobj = NULL;
+			const char *algstr = NULL;
+			const char *secretstr = NULL;
 
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
 			(void)cfg_map_get(keydef, "secret", &secretobj);
@@ -805,11 +808,11 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	isc_result_t result;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
-	char *algstr = NULL;
-	char *secretstr = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *algstr = NULL;
+	const char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
 	char secret[1024];
 	isc_buffer_t b;
@@ -888,12 +891,13 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
  * valid or both are NULL.
  */
 static void
-get_key_info(cfg_obj_t *config, cfg_obj_t *control,
-	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
+get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
+	     const cfg_obj_t **global_keylistp,
+	     const cfg_obj_t **control_keylistp)
 {
 	isc_result_t result;
-	cfg_obj_t *control_keylist = NULL;
-	cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *global_keylist = NULL;
 
 	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
 	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
@@ -912,15 +916,15 @@ get_key_info(cfg_obj_t *config, cfg_obj_t *control,
 }
 
 static void
-update_listener(ns_controls_t *cp,
-		controllistener_t **listenerp, cfg_obj_t *control,
-		cfg_obj_t *config, isc_sockaddr_t *addr,
-		ns_aclconfctx_t *aclconfctx, const char *socktext)
+update_listener(ns_controls_t *cp, controllistener_t **listenerp,
+		const cfg_obj_t *control, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
+		const char *socktext)
 {
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	controlkeylist_t keys;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -977,18 +981,25 @@ update_listener(ns_controls_t *cp,
 		result = get_rndckey(listener->mctx, &listener->keys);
 	}
 
-	if (result != ISC_R_SUCCESS && global_keylist != NULL)
+	if (result != ISC_R_SUCCESS && global_keylist != NULL) {
 		/*
 		 * This message might be a little misleading since the
 		 * "new keys" might in fact be identical to the old ones,
 		 * but tracking whether they are identical just for the
 		 * sake of avoiding this message would be too much trouble.
 		 */
-		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new keys for "
-			    "command channel %s: %s",
-			    socktext, isc_result_totext(result));
-
+		if (control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't install new keys for "
+				    "command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+				      "couldn't install new keys for "
+				      "command channel %s: %s",
+				      socktext, isc_result_totext(result));
+	}
 
 	/*
 	 * Now, keep the old access list unless a new one can be made.
@@ -1005,26 +1016,33 @@ update_listener(ns_controls_t *cp,
 		dns_acl_detach(&listener->acl);
 		dns_acl_attach(new_acl, &listener->acl);
 		dns_acl_detach(&new_acl);
-	} else
 		/* XXXDCL say the old acl is still used? */
+	} else if (control != NULL)
 		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
 			    "couldn't install new acl for "
 			    "command channel %s: %s",
 			    socktext, isc_result_totext(result));
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "couldn't install new acl for "
+			      "command channel %s: %s",
+			      socktext, isc_result_totext(result));
 
 	*listenerp = listener;
 }
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
-	     ns_aclconfctx_t *aclconfctx, const char *socktext)
+	     const cfg_obj_t *control, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
+	     const char *socktext)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -1135,13 +1153,13 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 }
 
 isc_result_t
-ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
-	cfg_obj_t *controlslist = NULL;
-	cfg_listelt_t *element, *element2;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_listelt_t *element, *element2;
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
 	ISC_LIST_INIT(new_listeners);
@@ -1163,8 +1181,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *inetcontrols = NULL;
+			const cfg_obj_t *controls;
+			const cfg_obj_t *inetcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "inet", &inetcontrols);
@@ -1174,9 +1192,9 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			for (element2 = cfg_list_first(inetcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *obj;
-				isc_sockaddr_t *addr;
+				const cfg_obj_t *control;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
 
 				/*
 				 * The parser handles BIND 8 configuration file
@@ -1189,12 +1207,12 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 				control = cfg_listelt_value(element2);
 
 				obj = cfg_tuple_get(control, "address");
-				addr = cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(addr) == 0)
-					isc_sockaddr_setport(addr,
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0)
+					isc_sockaddr_setport(&addr,
 							     NS_CONTROL_PORT);
 
-				isc_sockaddr_format(addr, socktext,
+				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
 
 				isc_log_write(ns_g_lctx,
@@ -1205,7 +1223,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						addr, aclconfctx, socktext);
+						&addr, aclconfctx, socktext);
 
 				if (listener != NULL)
 					/*
@@ -1219,7 +1237,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					 * This is a new listener.
 					 */
 					add_listener(cp, &listener, control,
-						     config, addr, aclconfctx,
+						     config, &addr, aclconfctx,
 						     socktext);
 
 				if (listener != NULL)
diff --git a/contrib/bind-9.3/bin/named/include/named/aclconf.h b/contrib/bind-9.3/bin/named/include/named/aclconf.h
index 8126572784..a5b333a9fa 100644
--- a/contrib/bind-9.3/bin/named/include/named/aclconf.h
+++ b/contrib/bind-9.3/bin/named/include/named/aclconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.12.208.1 2004/03/06 10:21:23 marka Exp $ */
+/* $Id: aclconf.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NS_ACLCONF_H
 #define NS_ACLCONF_H 1
@@ -49,8 +49,8 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
  */
 
 isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
+ns_acl_fromconfig(const cfg_obj_t *caml,
+		  const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target);
diff --git a/contrib/bind-9.3/bin/named/include/named/client.h b/contrib/bind-9.3/bin/named/include/named/client.h
index 7097a3bb05..f602be84e6 100644
--- a/contrib/bind-9.3/bin/named/include/named/client.h
+++ b/contrib/bind-9.3/bin/named/include/named/client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.60.2.2.10.10 2005/07/29 00:13:08 marka Exp $ */
+/* $Id: client.h,v 1.60.2.2.10.12 2006/06/06 00:11:40 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -198,6 +198,12 @@ ns_client_next(ns_client_t *client, isc_result_t result);
  * return no response to the client.
  */
 
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%
+ * Replace the qname.
+ */
+
 isc_boolean_t
 ns_client_shuttingdown(ns_client_t *client);
 /*
diff --git a/contrib/bind-9.3/bin/named/include/named/config.h b/contrib/bind-9.3/bin/named/include/named/config.h
index b3b4f12160..8e5b94a7fc 100644
--- a/contrib/bind-9.3/bin/named/include/named/config.h
+++ b/contrib/bind-9.3/bin/named/include/named/config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.12.4 2004/04/20 14:12:10 marka Exp $ */
+/* $Id: config.h,v 1.4.12.6 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -29,27 +29,28 @@ isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_checknames_get(const cfg_obj_t **maps, const char* name,
+		  const cfg_obj_t **obj);
 
 int
-ns_config_listcount(cfg_obj_t *list);
+ns_config_listcount(const cfg_obj_t *list);
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp);
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		  dns_rdatatype_t *typep);
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj);
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
 
@@ -58,16 +59,16 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 		    isc_uint32_t count);
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
-			  isc_uint32_t *countp);
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keys, isc_uint32_t *countp);
 
 void
 ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 			  dns_name_t ***keys, isc_uint32_t count);
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp);
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
diff --git a/contrib/bind-9.3/bin/named/include/named/control.h b/contrib/bind-9.3/bin/named/include/named/control.h
index bbb7d36cbb..bdb706e3cf 100644
--- a/contrib/bind-9.3/bin/named/include/named/control.h
+++ b/contrib/bind-9.3/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.2.2.7 2004/09/03 03:43:32 marka Exp $ */
+/* $Id: control.h,v 1.6.2.2.2.9 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -67,7 +67,7 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
  */
 
 isc_result_t
-ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx);
 /*
  * Configure zero or more command channels into 'controls'
diff --git a/contrib/bind-9.3/bin/named/include/named/globals.h b/contrib/bind-9.3/bin/named/include/named/globals.h
index 2cc8548395..b8137e8d33 100644
--- a/contrib/bind-9.3/bin/named/include/named/globals.h
+++ b/contrib/bind-9.3/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */
+/* $Id: globals.h,v 1.59.68.7 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -75,7 +75,7 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  * Current configuration information.
  */
 EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
+EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
diff --git a/contrib/bind-9.3/bin/named/include/named/logconf.h b/contrib/bind-9.3/bin/named/include/named/logconf.h
index a6f7450c93..b92ad31384 100644
--- a/contrib/bind-9.3/bin/named/include/named/logconf.h
+++ b/contrib/bind-9.3/bin/named/include/named/logconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: logconf.h,v 1.10.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
@@ -23,7 +23,7 @@
 #include <isc/log.h>
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
 /*
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
diff --git a/contrib/bind-9.3/bin/named/include/named/lwresd.h b/contrib/bind-9.3/bin/named/include/named/lwresd.h
index 7ba857c04e..2aa1d55cce 100644
--- a/contrib/bind-9.3/bin/named/include/named/lwresd.h
+++ b/contrib/bind-9.3/bin/named/include/named/lwresd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.12.208.1 2004/03/06 10:21:25 marka Exp $ */
+/* $Id: lwresd.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
@@ -56,7 +56,7 @@ struct ns_lwreslistener {
  * Configure lwresd.
  */
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config);
 
 isc_result_t
 ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
@@ -72,7 +72,8 @@ ns_lwresd_shutdown(void);
  * Manager functions
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
+		      ns_lwresd_t **lwresdp);
 
 void
 ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
diff --git a/contrib/bind-9.3/bin/named/include/named/server.h b/contrib/bind-9.3/bin/named/include/named/server.h
index 97eb2efce3..37526c0bef 100644
--- a/contrib/bind-9.3/bin/named/include/named/server.h
+++ b/contrib/bind-9.3/bin/named/include/named/server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.58.2.1.10.11 2004/03/08 04:04:21 marka Exp $ */
+/* $Id: server.h,v 1.58.2.1.10.13 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -208,6 +208,6 @@ ns_server_dumprecursing(ns_server_t *server);
  * Maintain a list of dispatches that require reserved ports.
  */
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
 #endif /* NAMED_SERVER_H */
diff --git a/contrib/bind-9.3/bin/named/include/named/sortlist.h b/contrib/bind-9.3/bin/named/include/named/sortlist.h
index 88a1493877..9966686e63 100644
--- a/contrib/bind-9.3/bin/named/include/named/sortlist.h
+++ b/contrib/bind-9.3/bin/named/include/named/sortlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.4.208.1 2004/03/06 10:21:26 marka Exp $ */
+/* $Id: sortlist.h,v 1.4.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
@@ -28,7 +28,7 @@
  * Type for callback functions that rank addresses.
  */
 typedef int 
-(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
+(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
 
 /*
  * Return value type for setup_sortlist.
@@ -40,7 +40,8 @@ typedef enum {
 } ns_sortlisttype_t;
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  *
@@ -55,14 +56,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
  */
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', the matching element
  * of a 1-element top-level sortlist statement.
  */
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', a topology-like
  * ACL forming the second element in a 2-element top-level
@@ -72,7 +73,7 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 			dns_addressorderfunc_t *orderp,
-			void **argp);
+			const void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  * If a sortlist statement applies, return in '*orderp' a pointer to a function
diff --git a/contrib/bind-9.3/bin/named/include/named/tkeyconf.h b/contrib/bind-9.3/bin/named/include/named/tkeyconf.h
index e3710eae3e..ac72f3e98e 100644
--- a/contrib/bind-9.3/bin/named/include/named/tkeyconf.h
+++ b/contrib/bind-9.3/bin/named/include/named/tkeyconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
@@ -28,8 +28,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		      dns_tkeyctx_t **tctxp);
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
 /*
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'options'.
diff --git a/contrib/bind-9.3/bin/named/include/named/tsigconf.h b/contrib/bind-9.3/bin/named/include/named/tsigconf.h
index ef4161ded8..fcb415eb42 100644
--- a/contrib/bind-9.3/bin/named/include/named/tsigconf.h
+++ b/contrib/bind-9.3/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
+/* $Id: tsigconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -26,7 +26,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
 /*
  * Create a TSIG key ring and configure it according to the 'key'
diff --git a/contrib/bind-9.3/bin/named/include/named/zoneconf.h b/contrib/bind-9.3/bin/named/include/named/zoneconf.h
index 3b8f200dc7..3e63053f38 100644
--- a/contrib/bind-9.3/bin/named/include/named/zoneconf.h
+++ b/contrib/bind-9.3/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.16.2.2.8.1 2004/03/06 10:21:27 marka Exp $ */
+/* $Id: zoneconf.h,v 1.16.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -30,8 +30,9 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone);
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  dns_zone_t *zone);
 /*
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
@@ -48,7 +49,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
  */
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
 /*
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
diff --git a/contrib/bind-9.3/bin/named/interfacemgr.c b/contrib/bind-9.3/bin/named/interfacemgr.c
index b212892c8e..a3410567e6 100644
--- a/contrib/bind-9.3/bin/named/interfacemgr.c
+++ b/contrib/bind-9.3/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.59.2.5.8.15 2004/08/10 04:56:23 jinmei Exp $ */
+/* $Id: interfacemgr.c,v 1.59.2.5.8.18 2006/07/19 00:16:28 marka Exp $ */
 
 #include <config.h>
 
@@ -182,6 +182,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	ifp->mgr = NULL;
 	ifp->generation = mgr->generation;
 	ifp->addr = *addr;
+	ifp->flags = 0;
 	strncpy(ifp->name, name, sizeof(ifp->name));
 	ifp->name[sizeof(ifp->name)-1] = '\0';
 	ifp->clientmgr = NULL;
@@ -717,9 +718,8 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 			 * See if the address matches the listen-on statement;
 			 * if not, ignore the interface.
 			 */
-			result = dns_acl_match(&listen_netaddr, NULL,
-					       le->acl, &mgr->aclenv,
-					       &match, NULL);
+			(void)dns_acl_match(&listen_netaddr, NULL, le->acl,
+					    &mgr->aclenv, &match, NULL);
 			if (match <= 0)
 				continue;
 
@@ -745,9 +745,9 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 				for (ele = ISC_LIST_HEAD(ext_listen->elts);
 				     ele != NULL;
 				     ele = ISC_LIST_NEXT(ele, link)) {
-					dns_acl_match(&listen_netaddr, NULL,
-						      ele->acl, NULL,
-						      &match, NULL);
+					(void)dns_acl_match(&listen_netaddr,
+							    NULL, ele->acl,
+							    NULL, &match, NULL);
 					if (match > 0 && ele->port == le->port)
 						break;
 					else
diff --git a/contrib/bind-9.3/bin/named/logconf.c b/contrib/bind-9.3/bin/named/logconf.c
index 596d40166b..1bf3b5589e 100644
--- a/contrib/bind-9.3/bin/named/logconf.c
+++ b/contrib/bind-9.3/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.30.2.3.10.2 2004/03/06 10:21:18 marka Exp $ */
+/* $Id: logconf.c,v 1.30.2.3.10.4 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -41,13 +41,13 @@
  * in 'ccat' and add it to 'lctx'.
  */
 static isc_result_t
-category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
+category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	const char *catname;
 	isc_logcategory_t *category;
 	isc_logmodule_t *module;
-	cfg_obj_t *destinations = NULL;
-	cfg_listelt_t *element = NULL;
+	const cfg_obj_t *destinations = NULL;
+	const cfg_listelt_t *element = NULL;
 
 	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
 	category = isc_log_categorybyname(ns_g_lctx, catname);
@@ -68,8 +68,8 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
-		char *channelname = cfg_obj_asstring(channel);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
+		const char *channelname = cfg_obj_asstring(channel);
 
 		result = isc_log_usechannel(lctx, channelname, category,
 					    module);
@@ -89,18 +89,18 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
  * in 'cchan' and add it to 'lctx'.
  */
 static isc_result_t
-channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
+channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	isc_logdestination_t dest;
 	unsigned int type;
 	unsigned int flags = 0;
 	int level;
 	const char *channelname;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *syslogobj = NULL;
-	cfg_obj_t *nullobj = NULL;
-	cfg_obj_t *stderrobj = NULL;
-	cfg_obj_t *severity = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *severity = NULL;
 	int i;
 
 	channelname = cfg_obj_asstring(cfg_map_getname(channel));
@@ -130,9 +130,10 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	type = ISC_LOG_TONULL;
 	
 	if (fileobj != NULL) {
-		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
+		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		const cfg_obj_t *versionsobj =
+				 cfg_tuple_get(fileobj, "versions");
 		isc_int32_t versions = ISC_LOG_ROLLNEVER;
 		isc_offset_t size = 0;
 
@@ -157,7 +158,7 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 		type = ISC_LOG_TOSYSLOG;
 
 		if (cfg_obj_isstring(syslogobj)) {
-			char *facilitystr = cfg_obj_asstring(syslogobj);
+			const char *facilitystr = cfg_obj_asstring(syslogobj);
 			(void)isc_syslog_facilityfromstring(facilitystr,
 							    &facility);
 		}
@@ -174,9 +175,9 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	 * Munge flags.
 	 */
 	{
-		cfg_obj_t *printcat = NULL;
-		cfg_obj_t *printsev = NULL;
-		cfg_obj_t *printtime = NULL;
+		const cfg_obj_t *printcat = NULL;
+		const cfg_obj_t *printsev = NULL;
+		const cfg_obj_t *printtime = NULL;
 
 		(void)cfg_map_get(channel, "print-category", &printcat);
 		(void)cfg_map_get(channel, "print-severity", &printsev);
@@ -193,7 +194,7 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	level = ISC_LOG_INFO;
 	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
 		if (cfg_obj_isstring(severity)) {
-			char *str = cfg_obj_asstring(severity);
+			const char *str = cfg_obj_asstring(severity);
 			if (strcasecmp(str, "critical") == 0)
 				level = ISC_LOG_CRITICAL;
 			else if (strcasecmp(str, "error") == 0)
@@ -242,13 +243,14 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 }
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
 	isc_result_t result;
-	cfg_obj_t *channels = NULL;
-	cfg_obj_t *categories = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *categories = NULL;
+	const cfg_listelt_t *element;
 	isc_boolean_t default_set = ISC_FALSE;
 	isc_boolean_t unmatched_set = ISC_FALSE;
+	const cfg_obj_t *catname;
 
 	CHECK(ns_log_setdefaultchannels(logconf));
 
@@ -257,7 +259,7 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
 		CHECK(channel_fromconf(channel, logconf));
 	}
 
@@ -266,15 +268,15 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *category = cfg_listelt_value(element);
+		const cfg_obj_t *category = cfg_listelt_value(element);
 		CHECK(category_fromconf(category, logconf));
 		if (!default_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
 				default_set = ISC_TRUE;
 		}
 		if (!unmatched_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
 				unmatched_set = ISC_TRUE;
 		}
diff --git a/contrib/bind-9.3/bin/named/lwdgabn.c b/contrib/bind-9.3/bin/named/lwdgabn.c
index 030a77ae78..539c25bf3d 100644
--- a/contrib/bind-9.3/bin/named/lwdgabn.c
+++ b/contrib/bind-9.3/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.13.12.3 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.13.12.5 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -120,7 +120,7 @@ sort_addresses(ns_lwdclient_t *client) {
 	rankedaddress *addrs;
 	isc_netaddr_t remote;
 	dns_addressorderfunc_t order;
-	void *arg;
+	const void *arg;
 	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
 	unsigned int i;
 	isc_result_t result;
diff --git a/contrib/bind-9.3/bin/named/lwdgrbn.c b/contrib/bind-9.3/bin/named/lwdgrbn.c
index 665226539b..3ad9e9e38d 100644
--- a/contrib/bind-9.3/bin/named/lwdgrbn.c
+++ b/contrib/bind-9.3/bin/named/lwdgrbn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.11.208.3 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: lwdgrbn.c,v 1.11.208.5 2006/01/04 23:50:19 marka Exp $ */
 
 #include <config.h>
 
@@ -358,7 +358,7 @@ lookup_done(isc_task_t *task, isc_event_t *event) {
 	client->sendlength = r.length;
 	result = ns_lwdclient_sendreply(client, &r);
 	if (result != ISC_R_SUCCESS)
-		goto out;
+		goto out2;
 
 	NS_LWDCLIENT_SETSEND(client);
 
@@ -378,7 +378,7 @@ lookup_done(isc_task_t *task, isc_event_t *event) {
 	if (grbn->siglen != NULL)
 		isc_mem_put(cm->mctx, grbn->siglen,
 			    grbn->nsigs * sizeof(lwres_uint16_t));
-
+ out2:
 	if (client->lookup != NULL)
 		dns_lookup_destroy(&client->lookup);
 	if (lwb.base != NULL)
diff --git a/contrib/bind-9.3/bin/named/lwresd.8 b/contrib/bind-9.3/bin/named/lwresd.8
index 58f24b0623..1333a5d509 100644
--- a/contrib/bind-9.3/bin/named/lwresd.8
+++ b/contrib/bind-9.3/bin/named/lwresd.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.13.208.5 2005/10/13 02:33:47 marka Exp $
+.\" $Id: lwresd.8,v 1.13.208.6 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwresd
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -57,41 +60,41 @@ entries are present, or if forwarding fails,
 \fBlwresd\fR
 resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-C \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBlwresd\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBlwresd\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-P \fIport\fR
 Listen for lightweight resolver queries on port
 \fIport\fR. If not specified, the default is port 921.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send DNS lookups to port
 \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -100,7 +103,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -114,20 +117,20 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
 \fIuser\fR
 after completing privileged operations, such as creating sockets that listen on privileged ports.
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/resolv.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/lwresd.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -138,3 +141,5 @@ The default process\-id file.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/named/lwresd.c b/contrib/bind-9.3/bin/named/lwresd.c
index 9da41681a5..e48822f711 100644
--- a/contrib/bind-9.3/bin/named/lwresd.c
+++ b/contrib/bind-9.3/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.37.2.2.2.5 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: lwresd.c,v 1.37.2.2.2.8 2006/02/28 06:32:53 marka Exp $ */
 
 /*
  * Main program for the Lightweight Resolver Daemon.
@@ -285,14 +285,14 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
  * Handle lwresd manager objects
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		     ns_lwresd_t **lwresdp)
 {
 	ns_lwresd_t *lwresd;
 	const char *vname;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *obj, *viewobj, *searchobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *obj, *viewobj, *searchobj;
+	const cfg_listelt_t *element;
 	isc_result_t result;
 
 	INSIST(lwresdp != NULL && *lwresdp == NULL);
@@ -356,8 +356,8 @@ ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *search;
-			char *searchstr;
+			const cfg_obj_t *search;
+			const char *searchstr;
 			isc_buffer_t namebuf;
 			dns_fixedname_t fname;
 			dns_name_t *name;
@@ -407,6 +407,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
 		ns_lwsearchlist_detach(&lwresd->search);
 	if (lwresd->mctx != NULL)
 		isc_mem_detach(&lwresd->mctx);
+	isc_mem_put(mctx, lwresd, sizeof(ns_lwresd_t));
 	return (result);
 }
 
@@ -744,11 +745,11 @@ configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
 }
 
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
-	cfg_obj_t *lwreslist = NULL;
-	cfg_obj_t *lwres = NULL;
-	cfg_obj_t *listenerslist = NULL;
-	cfg_listelt_t *element = NULL;
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
+	const cfg_obj_t *lwreslist = NULL;
+	const cfg_obj_t *lwres = NULL;
+	const cfg_obj_t *listenerslist = NULL;
+	const cfg_listelt_t *element = NULL;
 	ns_lwreslistener_t *listener;
 	ns_lwreslistenerlist_t newlisteners;
 	isc_result_t result;
diff --git a/contrib/bind-9.3/bin/named/lwresd.html b/contrib/bind-9.3/bin/named/lwresd.html
index 439153aa82..6ab78242e7 100644
--- a/contrib/bind-9.3/bin/named/lwresd.html
+++ b/contrib/bind-9.3/bin/named/lwresd.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.4.2.1.4.8 2005/10/13 02:33:47 marka Exp $ -->
+<!-- $Id: lwresd.html,v 1.4.2.1.4.10 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525920"></a><h2>DESCRIPTION</h2>
+<a name="id2549484"></a><h2>DESCRIPTION</h2>
 <p>
 	<span><strong class="command">lwresd</strong></span> is the daemon providing name lookup
 	services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525969"></a><h2>OPTIONS</h2>
+<a name="id2549533"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
@@ -159,7 +159,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526237"></a><h2>FILES</h2>
+<a name="id2549939"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -172,7 +172,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526277"></a><h2>SEE ALSO</h2>
+<a name="id2549978"></a><h2>SEE ALSO</h2>
 <p>
 	<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
 	<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
@@ -180,7 +180,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526315"></a><h2>AUTHOR</h2>
+<a name="id2550017"></a><h2>AUTHOR</h2>
 <p>
 	<span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/named/main.c b/contrib/bind-9.3/bin/named/main.c
index c155291d6c..960de2a34b 100644
--- a/contrib/bind-9.3/bin/named/main.c
+++ b/contrib/bind-9.3/bin/named/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.119.2.3.2.22 2005/04/29 01:04:47 marka Exp $ */
+/* $Id: main.c,v 1.119.2.3.2.25 2006/11/10 18:51:06 marka Exp $ */
 
 #include <config.h>
 
@@ -473,7 +473,7 @@ create_managers(void) {
 	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_taskmgr_create() failed: %s",
+				 "isc_taskmgr_create() failed: %s",
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
@@ -481,7 +481,7 @@ create_managers(void) {
 	result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_timermgr_create() failed: %s",
+				 "isc_timermgr_create() failed: %s",
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
@@ -856,7 +856,7 @@ main(int argc, char *argv[]) {
 		if (result == ISC_R_SUCCESS && instance != NULL) {
 			if (smf_disable_instance(instance, 0) != 0)
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "smf_disable_instance() ",
+						 "smf_disable_instance() "
 						 "failed for %s : %s",
 						 instance,
 						 scf_strerror(scf_error()));
diff --git a/contrib/bind-9.3/bin/named/named.8 b/contrib/bind-9.3/bin/named/named.8
index e072c169be..7172393534 100644
--- a/contrib/bind-9.3/bin/named/named.8
+++ b/contrib/bind-9.3/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.17.208.6 2005/10/13 02:33:46 marka Exp $
+.\" $Id: named.8,v 1.17.208.9 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -41,21 +44,21 @@ When invoked without arguments,
 will read the default configuration file
 \fI/etc/named.conf\fR, read any initial data, and listen for queries.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-4
 Use IPv4 only even if the host machine is capable of IPv6.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP
+.TP 3n
 \-6
 Use IPv6 only even if the host machine is capable of IPv4.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
@@ -65,31 +68,31 @@ as the configuration file instead of the default,
 option in the configuration file,
 \fIconfig\-file\fR
 should be an absolute pathname.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBnamed\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBnamed\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-p \fIport\fR
 Listen for queries on port
 \fIport\fR. If not specified, the default is port 53.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -98,7 +101,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -112,7 +115,7 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
@@ -131,10 +134,10 @@ option only works when
 is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
 \fBsetuid()\fR.
 .RE
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
-.TP
+.TP 3n
 \-x \fIcache\-file\fR
 Load data from
 \fIcache\-file\fR
@@ -148,10 +151,10 @@ This option must not be used. It is only of interest to BIND 9 developers and ma
 In routine operation, signals should not be used to control the nameserver;
 \fBrndc\fR
 should be used instead.
-.TP
+.TP 3n
 SIGHUP
 Force a reload of the server.
-.TP
+.TP 3n
 SIGINT, SIGTERM
 Shut down the server.
 .PP
@@ -163,10 +166,10 @@ The
 configuration file is too complex to describe in detail here. A complete description is provided in the
 BIND 9 Administrator Reference Manual.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/named.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/named.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -176,7 +179,10 @@ RFC 1034,
 RFC 1035,
 \fBrndc\fR(8),
 \fBlwresd\fR(8),
+\fBnamed.conf\fR(5),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/named/named.conf.5 b/contrib/bind-9.3/bin/named/named.conf.5
index d0b690b1b5..1ace4da31c 100644
--- a/contrib/bind-9.3/bin/named/named.conf.5
+++ b/contrib/bind-9.3/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,15 +12,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.4.6 2005/10/13 02:33:47 marka Exp $
+.\" $Id: named.conf.5,v 1.1.4.10 2006/09/13 02:56:20 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FINAMED.CONF\\FR" "5" "Aug 13, 2004" "BIND9" "BIND9"
+.\"     Title: \fInamed.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Aug 13, 2004
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -43,27 +46,34 @@ C++ style: // to end of line
 Unix style: # to end of line
 .SH "ACL"
 .sp
+.RS 3n
 .nf
 acl \fIstring\fR { \fIaddress_match_element\fR; ... };
 .fi
+.RE
 .SH "KEY"
 .sp
+.RS 3n
 .nf
 key \fIdomain_name\fR {
 	algorithm \fIstring\fR;
 	secret \fIstring\fR;
 };
 .fi
+.RE
 .SH "MASTERS"
 .sp
+.RS 3n
 .nf
 masters \fIstring\fR [ port \fIinteger\fR ] {
 	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
 	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
 };
 .fi
+.RE
 .SH "SERVER"
 .sp
+.RS 3n
 .nf
 server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
 	bogus \fIboolean\fR;
@@ -80,15 +90,19 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
 	support\-ixfr \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "TRUSTED\-KEYS"
 .sp
+.RS 3n
 .nf
 trusted\-keys {
 	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
 };
 .fi
+.RE
 .SH "CONTROLS"
 .sp
+.RS 3n
 .nf
 controls {
 	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
@@ -98,8 +112,10 @@ controls {
 	unix \fIunsupported\fR; // not implemented
 };
 .fi
+.RE
 .SH "LOGGING"
 .sp
+.RS 3n
 .nf
 logging {
 	channel \fIstring\fR {
@@ -115,8 +131,10 @@ logging {
 	category \fIstring\fR { \fIstring\fR; ... };
 };
 .fi
+.RE
 .SH "LWRES"
 .sp
+.RS 3n
 .nf
 lwres {
 	listen\-on [ port \fIinteger\fR ] {
@@ -127,8 +145,10 @@ lwres {
 	ndots \fIinteger\fR;
 };
 .fi
+.RE
 .SH "OPTIONS"
 .sp
+.RS 3n
 .nf
 options {
 	avoid\-v4\-udp\-ports { \fIport\fR; ... };
@@ -137,6 +157,7 @@ options {
 	coresize \fIsize\fR;
 	datasize \fIsize\fR;
 	directory \fIquoted_string\fR;
+	cache\-file \fIquoted_string\fR; // test option
 	dump\-file \fIquoted_string\fR;
 	files \fIsize\fR;
 	heartbeat\-interval \fIinteger\fR;
@@ -184,8 +205,8 @@ options {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -260,8 +281,10 @@ options {
 	use\-id\-pool \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "VIEW"
 .sp
+.RS 3n
 .nf
 view \fIstring\fR \fIoptional_class\fR {
 	match\-clients { \fIaddress_match_element\fR; ... };
@@ -295,8 +318,8 @@ view \fIstring\fR \fIoptional_class\fR {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -363,8 +386,10 @@ view \fIstring\fR \fIoptional_class\fR {
 	max\-ixfr\-log\-size \fIsize\fR; // obsolete
 };
 .fi
+.RE
 .SH "ZONE"
 .sp
+.RS 3n
 .nf
 zone \fIstring\fR \fIoptional_class\fR {
 	type ( master | slave | stub | hint |
@@ -428,6 +453,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
 };
 .fi
+.RE
 .SH "FILES"
 .PP
 \fI/etc/named.conf\fR
@@ -435,4 +461,6 @@ zone \fIstring\fR \fIoptional_class\fR {
 .PP
 \fBnamed\fR(8),
 \fBrndc\fR(8),
-\fBBIND 9 Adminstrators Reference Manual\fR().
+\fBBIND 9 Administrator Reference Manual\fR().
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/named/named.conf.html b/contrib/bind-9.3/bin/named/named.conf.html
index 8b3b517d7d..b43ee7f83c 100644
--- a/contrib/bind-9.3/bin/named/named.conf.html
+++ b/contrib/bind-9.3/bin/named/named.conf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.conf.html,v 1.1.4.10 2005/10/13 02:33:48 marka Exp $ -->
+<!-- $Id: named.conf.html,v 1.1.4.15 2006/09/13 02:56:21 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525889"></a><h2>DESCRIPTION</h2>
+<a name="id2549388"></a><h2>DESCRIPTION</h2>
 <p>
 	<code class="filename">named.conf</code> is the configuration file for
 	<span><strong class="command">named</strong></span>.  Statements are enclosed
@@ -50,14 +50,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525917"></a><h2>ACL</h2>
+<a name="id2549417"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525933"></a><h2>KEY</h2>
+<a name="id2549433"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@ key
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525953"></a><h2>MASTERS</h2>
+<a name="id2549452"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,7 +75,7 @@ masters
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525998"></a><h2>SERVER</h2>
+<a name="id2549498"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@@ -95,7 +95,7 @@ server
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526056"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2549556"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -103,7 +103,7 @@ trusted-keys
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526082"></a><h2>CONTROLS</h2>
+<a name="id2549581"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -115,7 +115,7 @@ controls
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526117"></a><h2>LOGGING</h2>
+<a name="id2549617"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -133,7 +133,7 @@ logging
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526155"></a><h2>LWRES</h2>
+<a name="id2549655"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -146,7 +146,7 @@ lwres
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526197"></a><h2>OPTIONS</h2>
+<a name="id2549697"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -155,6 +155,7 @@ options
 	coresize <em class="replaceable"><code>size</code></em>;<br>
 	datasize <em class="replaceable"><code>size</code></em>;<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	files <em class="replaceable"><code>size</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
@@ -202,8 +203,8 @@ options
 	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source <em class="replaceable"><code>querysource4</code></em>;<br>
-	query-source-v6 <em class="replaceable"><code>querysource6</code></em>;<br>
+	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -289,7 +290,7 @@ options
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526858"></a><h2>VIEW</h2>
+<a name="id2550312"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -328,8 +329,8 @@ view
 	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source <em class="replaceable"><code>querysource4</code></em>;<br>
-	query-source-v6 <em class="replaceable"><code>querysource6</code></em>;<br>
+	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -407,7 +408,7 @@ view
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527269"></a><h2>ZONE</h2>
+<a name="id2550878"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint |<br>
@@ -483,17 +484,17 @@ zone
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527606"></a><h2>FILES</h2>
+<a name="id2551216"></a><h2>FILES</h2>
 <p>
 <code class="filename">/etc/named.conf</code>
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2527619"></a><h2>SEE ALSO</h2>
+<a name="id2551228"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
 <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">BIND 9 Adminstrators Reference Manual</span></span>.
+<span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>.
 </p>
 </div>
 </div></body>
diff --git a/contrib/bind-9.3/bin/named/named.html b/contrib/bind-9.3/bin/named/named.html
index f266e70af5..6e77e5b9c3 100644
--- a/contrib/bind-9.3/bin/named/named.html
+++ b/contrib/bind-9.3/bin/named/named.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.4.2.1.4.9 2005/10/13 02:33:47 marka Exp $ -->
+<!-- $Id: named.html,v 1.4.2.1.4.13 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named</span> &#8212; Internet domain name server</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525923"></a><h2>DESCRIPTION</h2>
+<a name="id2549491"></a><h2>DESCRIPTION</h2>
 <p>
 	<span><strong class="command">named</strong></span> is a Domain Name System (DNS) server,
 	part of the BIND 9 distribution from ISC.  For more
@@ -46,7 +46,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525948"></a><h2>OPTIONS</h2>
+<a name="id2549516"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -177,7 +177,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526297"></a><h2>SIGNALS</h2>
+<a name="id2550002"></a><h2>SIGNALS</h2>
 <p>
 	In routine operation, signals should not be used to control
 	the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -198,7 +198,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526412"></a><h2>CONFIGURATION</h2>
+<a name="id2550049"></a><h2>CONFIGURATION</h2>
 <p>
 	The <span><strong class="command">named</strong></span> configuration file is too complex
 	to describe in detail here.  A complete description is
@@ -207,7 +207,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526429"></a><h2>FILES</h2>
+<a name="id2550066"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -220,18 +220,19 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526469"></a><h2>SEE ALSO</h2>
+<a name="id2550105"></a><h2>SEE ALSO</h2>
 <p>
 	<em class="citetitle">RFC 1033</em>,
 	<em class="citetitle">RFC 1034</em>,
 	<em class="citetitle">RFC 1035</em>,
 	<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
 	<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+	<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
 	<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526512"></a><h2>AUTHOR</h2>
+<a name="id2550157"></a><h2>AUTHOR</h2>
 <p>
 	<span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/named/query.c b/contrib/bind-9.3/bin/named/query.c
index b20324b3fd..c0a76a8bdd 100644
--- a/contrib/bind-9.3/bin/named/query.c
+++ b/contrib/bind-9.3/bin/named/query.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */
 
 #include <config.h>
 
@@ -148,18 +148,6 @@ query_next(ns_client_t *client, isc_result_t result) {
 	ns_client_next(client, result);
 }
 
-static inline void
-query_maybeputqname(ns_client_t *client) {
-	if (client->query.restarts > 0) {
-		/*
-		 * client->query.qname was dynamically allocated.
-		 */
-		dns_message_puttempname(client->message,
-					&client->query.qname);
-		client->query.qname = NULL;
-	}
-}
-
 static inline void
 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
 	ns_dbversion_t *dbversion, *dbversion_next;
@@ -240,8 +228,14 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 		}
 	}
 
-	query_maybeputqname(client);
-
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+	}
+	client->query.qname = NULL;
 	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
 				    NS_QUERYATTR_CACHEOK |
 				    NS_QUERYATTR_SECURE);
@@ -2091,17 +2085,31 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 		result = isc_quota_attach(&ns_g_server->recursionquota,
 					  &client->recursionquota);
 		if  (result == ISC_R_SOFTQUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "recursive-clients soft limit exceeded, "
-				      "aborting oldest query");
+			static isc_stdtime_t last = 0;
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != last) {
+				last = now;
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "recursive-clients soft limit "
+					      "exceeded, aborting oldest query");
+			}
 			ns_client_killoldestquery(client);
 			result = ISC_R_SUCCESS;
 		} else if (result == ISC_R_QUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "no more recursive clients: %s",
-				      isc_result_totext(result));
+			static isc_stdtime_t last = 0;
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != last) {
+				last = now;
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "no more recursive clients: %s",
+					      isc_result_totext(result));
+			}
 			ns_client_killoldestquery(client);
 		}
 		if (result == ISC_R_SUCCESS && !client->mortal &&
@@ -2182,7 +2190,7 @@ do { \
  *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
  */
 static isc_result_t
-rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
 	
@@ -2208,7 +2216,7 @@ rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
  * sortlist statement.
  */
 static int
-query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2221,7 +2229,7 @@ query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
  * of a 1-element top-level sortlist statement.
  */
 static int
-query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2237,7 +2245,7 @@ static void
 setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
-	void *order_arg = NULL;
+	const void *order_arg = NULL;
 	
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
@@ -2469,7 +2477,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * First we must find the right database.
 	 */
-	options = 0;
+	options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
 	if (dns_rdatatype_atparent(qtype) &&
 	    !dns_name_equal(client->query.qname, dns_rootname))
 		options |= DNS_GETDB_NOEXACT;
@@ -2509,9 +2517,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		}
 	}
 	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED)
-			QUERY_ERROR(DNS_R_REFUSED);
-		else
+		if (result == DNS_R_REFUSED) {
+			if (!PARTIALANSWER(client))
+				QUERY_ERROR(DNS_R_REFUSED);
+		} else
 			QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
@@ -2995,9 +3004,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			goto cleanup;
 		}
 		dns_rdata_freestruct(&cname);
-		query_maybeputqname(client);
-		client->query.qname = tname;
+		ns_client_qnamereplace(client, tname);
 		want_restart = ISC_TRUE;
+		if (!WANTRECURSION(client))
+			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	case DNS_R_DNAME:
 		/*
@@ -3111,10 +3121,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Switch to the new qname and restart.
 		 */
-		query_maybeputqname(client);
-		client->query.qname = fname;
+		ns_client_qnamereplace(client, fname);
 		fname = NULL;
 		want_restart = ISC_TRUE;
+		if (!WANTRECURSION(client))
+			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	default:
 		/*
diff --git a/contrib/bind-9.3/bin/named/server.c b/contrib/bind-9.3/bin/named/server.c
index b9d30d02f6..f29321e510 100644
--- a/contrib/bind-9.3/bin/named/server.c
+++ b/contrib/bind-9.3/bin/named/server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.339.2.15.2.65 2005/07/27 02:53:15 marka Exp $ */
+/* $Id: server.c,v 1.339.2.15.2.70 2006/05/24 04:30:24 marka Exp $ */
 
 #include <config.h>
 
@@ -167,25 +167,25 @@ static void
 ns_server_reload(isc_task_t *task, isc_event_t *event);
 
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
 
 static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates);
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates);
 
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf);
 
 static void
@@ -197,13 +197,13 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
  * (for a global default).
  */
 static isc_result_t
-configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		   const char *aclname, ns_aclconfctx_t *actx,
 		   isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 
 	if (*aclp != NULL)
@@ -211,14 +211,14 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
 	}
 	maps[i] = NULL;
 
-	result = ns_config_get(maps, aclname, &aclobj);
+	(void)ns_config_get(maps, aclname, &aclobj);
 	if (aclobj == NULL)
 		/*
 		 * No value available.  *aclp == NULL.
@@ -231,13 +231,13 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 }
 
 static isc_result_t
-configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
+configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			 dns_keytable_t *keytable, isc_mem_t *mctx)
 {
 	dns_rdataclass_t viewclass;
 	dns_rdata_dnskey_t keystruct;
 	isc_uint32_t flags, proto, alg;
-	char *keystr, *keynamestr;
+	const char *keystr, *keynamestr;
 	unsigned char keydata[4096];
 	isc_buffer_t keydatabuf;
 	unsigned char rrdata[4096];
@@ -258,7 +258,7 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
-		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
+		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
 		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
 					 &viewclass));
 	}
@@ -334,15 +334,15 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
  * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
  */
 static isc_result_t
-configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 			  isc_mem_t *mctx, dns_keytable_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_listelt_t *element, *element2;
-	cfg_obj_t *keylist;
-	cfg_obj_t *key;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *keylist;
+	const cfg_obj_t *key;
 	dns_keytable_t *keytable = NULL;
 
 	CHECK(dns_keytable_create(mctx, &keytable));
@@ -381,10 +381,10 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
 }
 
 static isc_result_t
-mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
 {
-	cfg_listelt_t *element;
-	cfg_obj_t *obj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -418,14 +418,14 @@ mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
  * Get a dispatch appropriate for the resolver of a given view.
  */
 static isc_result_t
-get_view_querysource_dispatch(cfg_obj_t **maps,
+get_view_querysource_dispatch(const cfg_obj_t **maps,
 			      int af, dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
 	isc_sockaddr_t sa;
 	unsigned int attrs, attrmask;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 
 	/*
 	 * Make compiler happy.
@@ -436,7 +436,6 @@ get_view_querysource_dispatch(cfg_obj_t **maps,
 	case AF_INET:
 		result = ns_config_get(maps, "query-source", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-
 		break;
 	case AF_INET6:
 		result = ns_config_get(maps, "query-source-v6", &obj);
@@ -517,10 +516,10 @@ get_view_querysource_dispatch(cfg_obj_t **maps,
 }
 
 static isc_result_t
-configure_order(dns_order_t *order, cfg_obj_t *ent) {
+configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t rdtype;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	dns_fixedname_t fixed;
 	unsigned int mode = 0;
 	const char *str;
@@ -567,7 +566,7 @@ configure_order(dns_order_t *order, cfg_obj_t *ent) {
 	/*
 	 * "*" should match everything including the root (BIND 8 compat).
 	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
-	 * explict entry for "." when the name is "*".
+	 * explicit entry for "." when the name is "*".
 	 */
 	if (addroot) {
 		result = dns_order_add(order, dns_rootname,
@@ -581,12 +580,12 @@ configure_order(dns_order_t *order, cfg_obj_t *ent) {
 }
 
 static isc_result_t
-configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	isc_sockaddr_t *sa;
+configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+	const isc_sockaddr_t *sa;
 	isc_netaddr_t na;
 	dns_peer_t *peer;
-	cfg_obj_t *obj;
-	char *str;
+	const cfg_obj_t *obj;
+	const char *str;
 	isc_result_t result;
 
 	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
@@ -664,10 +663,10 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 }
 
 static isc_result_t
-disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
+disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	isc_result_t result;
-	cfg_obj_t *algorithms;
-	cfg_listelt_t *element;
+	const cfg_obj_t *algorithms;
+	const cfg_listelt_t *element;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -688,7 +687,7 @@ disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
 		isc_textregion_t r;
 		dns_secalg_t alg;
 
-		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
 		r.length = strlen(r.base);
 
 		result = dns_secalg_fromtext(&alg, &r);
@@ -717,21 +716,21 @@ disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
  * global defaults in 'config' used exclusively.
  */
 static isc_result_t
-configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, ns_aclconfctx_t *actx,
+configure_view(dns_view_t *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, ns_aclconfctx_t *actx,
 	       isc_boolean_t need_hints)
 {
-	cfg_obj_t *maps[4];
-	cfg_obj_t *cfgmaps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_obj_t *forwardtype;
-	cfg_obj_t *forwarders;
-	cfg_obj_t *alternates;
-	cfg_obj_t *zonelist;
-	cfg_obj_t *disabled;
-	cfg_obj_t *obj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_obj_t *forwardtype;
+	const cfg_obj_t *forwarders;
+	const cfg_obj_t *alternates;
+	const cfg_obj_t *zonelist;
+	const cfg_obj_t *disabled;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *element;
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
@@ -792,7 +791,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     actx));
 	}
@@ -1018,8 +1017,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * Configure the view's peer list.
 	 */
 	{
-		cfg_obj_t *peers = NULL;
-		cfg_listelt_t *element;
+		const cfg_obj_t *peers = NULL;
+		const cfg_listelt_t *element;
 		dns_peerlist_t *newpeers = NULL;
 
 		(void)ns_config_get(cfgmaps, "server", &peers);
@@ -1028,7 +1027,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *cpeer = cfg_listelt_value(element);
+			const cfg_obj_t *cpeer = cfg_listelt_value(element);
 			dns_peer_t *peer;
 
 			CHECK(configure_peer(cpeer, mctx, &peer));
@@ -1043,8 +1042,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 *	Configure the views rrset-order.
 	 */
 	{
-		cfg_obj_t *rrsetorder = NULL;
-		cfg_listelt_t *element;
+		const cfg_obj_t *rrsetorder = NULL;
+		const cfg_listelt_t *element;
 
 		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
 		CHECK(dns_order_create(mctx, &order));
@@ -1052,7 +1051,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *ent = cfg_listelt_value(element);
+			const cfg_obj_t *ent = cfg_listelt_value(element);
 
 			CHECK(configure_order(order, ent));
 		}
@@ -1078,7 +1077,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * Configure the "match-recursive-only" option.
 	 */
 	obj = NULL;
-	(void) ns_config_get(maps, "match-recursive-only", &obj);
+	(void)ns_config_get(maps, "match-recursive-only", &obj);
 	if (obj != NULL && cfg_obj_asboolean(obj))
 		view->matchrecursiveonly = ISC_TRUE;
 	else
@@ -1275,8 +1274,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			isc_buffer_t b;
-			char *str;
-			cfg_obj_t *exclude;
+			const char *str;
+			const cfg_obj_t *exclude;
 
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@@ -1330,12 +1329,12 @@ configure_hints(dns_view_t *view, const char *filename) {
 }
 
 static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates)
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates)
 {
-	cfg_obj_t *portobj;
-	cfg_obj_t *addresses;
-	cfg_listelt_t *element;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *addresses;
+	const cfg_listelt_t *element;
 	isc_result_t result = ISC_R_SUCCESS;
 	in_port_t port;
 
@@ -1368,14 +1367,14 @@ configure_alternates(cfg_obj_t *config, dns_view_t *view,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *alternate = cfg_listelt_value(element);
+		const cfg_obj_t *alternate = cfg_listelt_value(element);
 		isc_sockaddr_t sa;
 
 		if (!cfg_obj_issockaddr(alternate)) {
 			dns_fixedname_t fixed;
 			dns_name_t *name;
-			char *str = cfg_obj_asstring(cfg_tuple_get(alternate,
-								   "name"));
+			const char *str = cfg_obj_asstring(cfg_tuple_get(
+							   alternate, "name"));
 			isc_buffer_t buffer;
 			in_port_t myport = port;
 
@@ -1415,12 +1414,12 @@ configure_alternates(cfg_obj_t *config, dns_view_t *view,
 }
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
 {
-	cfg_obj_t *portobj;
-	cfg_obj_t *faddresses;
-	cfg_listelt_t *element;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *faddresses;
+	const cfg_listelt_t *element;
 	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
 	isc_sockaddrlist_t addresses;
 	isc_sockaddr_t *sa;
@@ -1458,7 +1457,7 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *forwarder = cfg_listelt_value(element);
+		const cfg_obj_t *forwarder = cfg_listelt_value(element);
 		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
 		if (sa == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -1481,7 +1480,7 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 		if (forwardtype == NULL)
 			fwdpolicy = dns_fwdpolicy_first;
 		else {
-			char *forwardstr = cfg_obj_asstring(forwardtype);
+			const char *forwardstr = cfg_obj_asstring(forwardtype);
 			if (strcasecmp(forwardstr, "first") == 0)
 				fwdpolicy = dns_fwdpolicy_first;
 			else if (strcasecmp(forwardstr, "only") == 0)
@@ -1523,14 +1522,16 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
  * The view created is attached to '*viewp'.
  */
 static isc_result_t
-create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
+create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
+	    dns_view_t **viewp)
+{
 	isc_result_t result;
 	const char *viewname;
 	dns_rdataclass_t viewclass;
 	dns_view_t *view = NULL;
 
 	if (vconfig != NULL) {
-		cfg_obj_t *classobj = NULL;
+		const cfg_obj_t *classobj = NULL;
 
 		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		classobj = cfg_tuple_get(vconfig, "class");
@@ -1560,19 +1561,19 @@ create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
  * Configure or reconfigure a zone.
  */
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
 	dns_zone_t *dupzone = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *forwarders = NULL;
-	cfg_obj_t *forwardtype = NULL;
-	cfg_obj_t *only = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *forwarders = NULL;
+	const cfg_obj_t *forwardtype = NULL;
+	const cfg_obj_t *only = NULL;
 	isc_result_t result;
 	isc_result_t tresult;
 	isc_buffer_t buffer;
@@ -1629,7 +1630,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
-		cfg_obj_t *fileobj = NULL;
+		const cfg_obj_t *fileobj = NULL;
 		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -1639,7 +1640,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 			goto cleanup;
 		}
 		if (dns_name_equal(origin, dns_rootname)) {
-			char *hintsfile = cfg_obj_asstring(fileobj);
+			const char *hintsfile = cfg_obj_asstring(fileobj);
 
 			result = configure_hints(view, hintsfile);
 			if (result != ISC_R_SUCCESS) {
@@ -1795,9 +1796,10 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
  * Configure a single server quota.
  */
 static void
-configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
+configure_server_quota(const cfg_obj_t **maps, const char *name,
+		       isc_quota_t *quota)
 {
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = ns_config_get(maps, name, &obj);
@@ -1810,9 +1812,9 @@ configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
  * parsed.  This can be extended to support other options if necessary.
  */
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	char *directory;
+	const char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -1891,8 +1893,7 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
 
  clean:
 	INSIST(lelt == NULL);
-	if (src_acl != NULL)
-		dns_acl_detach(&src_acl);
+	dns_acl_detach(&src_acl);
 
 	return (result);
 }
@@ -2049,7 +2050,7 @@ setstring(ns_server_t *server, char **field, const char *value) {
  * or NULL if whether 'obj' is a string or void value, respectively.
  */
 static isc_result_t
-setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
+setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
 	if (cfg_obj_isvoid(obj))
 		return (setstring(server, field, NULL));
 	else
@@ -2057,11 +2058,12 @@ setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
 }
 
 static void
-set_limit(cfg_obj_t **maps, const char *configname, const char *description,
-	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
+set_limit(const cfg_obj_t **maps, const char *configname,
+	  const char *description, isc_resource_t resourceid,
+	  isc_resourcevalue_t defaultvalue)
 {
-	cfg_obj_t *obj = NULL;
-	char *resource;
+	const cfg_obj_t *obj = NULL;
+	const char *resource;
 	isc_resourcevalue_t value;
 	isc_result_t result;
 
@@ -2092,7 +2094,7 @@ set_limit(cfg_obj_t **maps, const char *configname, const char *description,
 		  ns_g_init ## resource)
 
 static void
-set_limits(cfg_obj_t **maps) {
+set_limits(const cfg_obj_t **maps) {
 	SETLIMIT("stacksize", stacksize, "stack size");
 	SETLIMIT("datasize", datasize, "data size");
 	SETLIMIT("coresize", coresize, "core size");
@@ -2101,15 +2103,15 @@ set_limits(cfg_obj_t **maps) {
 
 static isc_result_t
 portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
-		  cfg_obj_t *ports)
+		  const cfg_obj_t *ports)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	for (element = cfg_list_first(ports);
 	     element != NULL;
 	     element = cfg_list_next(element)) {
-		cfg_obj_t *obj = cfg_listelt_value(element);
+		const cfg_obj_t *obj = cfg_listelt_value(element);
 		in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
 		
 		result = dns_portlist_add(portlist, family, port);
@@ -2126,13 +2128,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config;
-	cfg_obj_t *options;
-	cfg_obj_t *views;
-	cfg_obj_t *obj;
-	cfg_obj_t *v4ports, *v6ports;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *builtin_views;
-	cfg_listelt_t *element;
+	const cfg_obj_t *options;
+	const cfg_obj_t *views;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *v4ports, *v6ports;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *builtin_views;
+	const cfg_listelt_t *element;
 	dns_view_t *view = NULL;
 	dns_view_t *view_next;
 	dns_viewlist_t viewlist;
@@ -2319,7 +2321,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * statement.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		clistenon = NULL;
@@ -2353,7 +2355,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Ditto for IPv6.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		if (options != NULL)
@@ -2438,7 +2440,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		view = NULL;
 
 		CHECK(create_view(vconfig, &viewlist, &view));
@@ -2478,7 +2480,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		CHECK(create_view(vconfig, &viewlist, &view));
 		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
 				     &aclconfctx, ISC_FALSE));
@@ -2582,7 +2584,7 @@ load_configuration(const char *filename, ns_server_t *server,
 			      "ignoring config file logging "
 			      "statement due to -g option");
 	} else {
-		cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *logobj = NULL;
 		isc_logconfig_t *logc = NULL;
 
 		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
@@ -2621,8 +2623,8 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * compatibility.
 	 */
 	if (first_time) {
-		cfg_obj_t *logobj = NULL;
-		cfg_obj_t *categories = NULL;
+		const cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *categories = NULL;
 
 		obj = NULL;
 		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
@@ -2634,13 +2636,13 @@ load_configuration(const char *filename, ns_server_t *server,
 				(void)cfg_map_get(logobj, "category",
 						  &categories);
 			if (categories != NULL) {
-				cfg_listelt_t *element;
+				const cfg_listelt_t *element;
 				for (element = cfg_list_first(categories);
 				     element != NULL;
 				     element = cfg_list_next(element))
 				{
-					cfg_obj_t *catobj;
-					char *str;
+					const cfg_obj_t *catobj;
+					const char *str;
 
 					obj = cfg_listelt_value(element);
 					catobj = cfg_tuple_get(obj, "name");
@@ -3133,7 +3135,7 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
 }
 
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
 	ns_dispatch_t *dispatch;
 	in_port_t port;
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -3458,20 +3460,29 @@ isc_result_t
 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
-	const unsigned char msg[] = "zone refresh queued";
+	const unsigned char msg1[] = "zone refresh queued";
+	const unsigned char msg2[] = "not a slave or stub zone";
+	dns_zonetype_t type;
 
 	result = zone_from_args(server, args, &zone);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);
-	
-	dns_zone_refresh(zone);
-	dns_zone_detach(&zone);
-	if (sizeof(msg) <= isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, msg, sizeof(msg));
 
-	return (ISC_R_SUCCESS);
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_slave || type == dns_zone_stub) {
+		dns_zone_refresh(zone);
+		dns_zone_detach(&zone);
+		if (sizeof(msg1) <= isc_buffer_availablelength(text))
+			isc_buffer_putmem(text, msg1, sizeof(msg1));
+		return (ISC_R_SUCCESS);
+	}
+		
+	dns_zone_detach(&zone);
+	if (sizeof(msg2) <= isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, msg2, sizeof(msg2));
+	return (ISC_R_FAILURE);
 }	
 
 isc_result_t
@@ -3486,12 +3497,12 @@ ns_server_togglequerylog(ns_server_t *server) {
 }
 
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target)
 {
 	isc_result_t result;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	ns_listenlist_t *dlist = NULL;
 
 	REQUIRE(target != NULL && *target == NULL);
@@ -3505,7 +3516,7 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
 	     element = cfg_list_next(element))
 	{
 		ns_listenelt_t *delt = NULL;
-		cfg_obj_t *listener = cfg_listelt_value(element);
+		const cfg_obj_t *listener = cfg_listelt_value(element);
 		result = ns_listenelt_fromconfig(listener, config, actx,
 						 mctx, &delt);
 		if (result != ISC_R_SUCCESS)
@@ -3525,12 +3536,12 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
  * data structure.
  */
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *portobj;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	ns_listenelt_t *delt = NULL;
 	REQUIRE(target != NULL && *target == NULL);
@@ -3823,6 +3834,11 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 	char *ptr;
 	const char *sep;
 
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
 	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
 	if (dctx == NULL)
 		return (ISC_R_NOMEMORY);
@@ -3845,11 +3861,6 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
 		"could not open dump file", server->dumpfile);
 
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
 	sep = (args == NULL) ? "" : ": ";
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
diff --git a/contrib/bind-9.3/bin/named/sortlist.c b/contrib/bind-9.3/bin/named/sortlist.c
index 0098fe779c..0feba3bbee 100644
--- a/contrib/bind-9.3/bin/named/sortlist.c
+++ b/contrib/bind-9.3/bin/named/sortlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.5.12.4 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: sortlist.c,v 1.5.12.6 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -30,7 +30,9 @@
 #include <named/sortlist.h>
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp)
+{
 	unsigned int i;
 
 	if (acl == NULL)
@@ -44,7 +46,7 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 		dns_aclelement_t *e = &acl->elements[i];
 		dns_aclelement_t *try_elt;
 		dns_aclelement_t *order_elt = NULL;
-		dns_aclelement_t *matched_elt = NULL;
+		const dns_aclelement_t *matched_elt = NULL;
 
 		if (e->type == dns_aclelementtype_nestedacl) {
 			dns_acl_t *inner = e->u.nestedacl;
@@ -106,8 +108,8 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 }
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
-	dns_acl_t *sortacl = (dns_acl_t *) arg;
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
+	const dns_acl_t *sortacl = (const dns_acl_t *) arg;
 	int match;
 
 	(void)dns_acl_match(addr, NULL, sortacl,
@@ -122,8 +124,8 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
 }
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
-	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
+	const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg;
 	if (dns_aclelement_match(addr, NULL, matchelt,
 				 &ns_g_server->aclenv,
 				 NULL)) {
@@ -136,7 +138,7 @@ ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 		       dns_addressorderfunc_t *orderp,
-		       void **argp)
+		       const void **argp)
 {
 	ns_sortlisttype_t sortlisttype;
 
diff --git a/contrib/bind-9.3/bin/named/tkeyconf.c b/contrib/bind-9.3/bin/named/tkeyconf.c
index 7fc13f3d9c..f23c1dba5f 100644
--- a/contrib/bind-9.3/bin/named/tkeyconf.c
+++ b/contrib/bind-9.3/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.19.208.2 2004/06/11 00:30:51 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.19.208.4 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -42,17 +42,17 @@
 
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		       dns_tkeyctx_t **tctxp)
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 {
 	isc_result_t result;
 	dns_tkeyctx_t *tctx = NULL;
-	char *s;
+	const char *s;
 	isc_uint32_t n;
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_buffer_t b;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	int type;
 
 	result = dns_tkeyctx_create(mctx, ectx, &tctx);
diff --git a/contrib/bind-9.3/bin/named/tsigconf.c b/contrib/bind-9.3/bin/named/tsigconf.c
index 38524c37fa..a90438d85e 100644
--- a/contrib/bind-9.3/bin/named/tsigconf.c
+++ b/contrib/bind-9.3/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.21.208.4 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: tsigconf.c,v 1.21.208.6 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -35,10 +35,12 @@
 #include <named/tsigconf.h>
 
 static isc_result_t
-add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *key = NULL;
-	char *keyid = NULL;
+add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
+		 isc_mem_t *mctx)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key = NULL;
+	const char *keyid = NULL;
 	unsigned char *secret = NULL;
 	int secretalloc = 0;
 	int secretlen = 0;
@@ -49,14 +51,14 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *algobj = NULL;
-		cfg_obj_t *secretobj = NULL;
+		const cfg_obj_t *algobj = NULL;
+		const cfg_obj_t *secretobj = NULL;
 		dns_name_t keyname;
 		dns_name_t *alg;
-		char *algstr;
+		const char *algstr;
 		char keynamedata[1024];
 		isc_buffer_t keynamesrc, keynamebuf;
-		char *secretstr;
+		const char *secretstr;
 		isc_buffer_t secretbuf;
 
 		key = cfg_listelt_value(element);
@@ -129,11 +131,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 }
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
 {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *keylist;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *keylist;
 	dns_tsig_keyring_t *ring = NULL;
 	isc_result_t result;
 	int i;
diff --git a/contrib/bind-9.3/bin/named/unix/os.c b/contrib/bind-9.3/bin/named/unix/os.c
index f306f14622..361d1b6363 100644
--- a/contrib/bind-9.3/bin/named/unix/os.c
+++ b/contrib/bind-9.3/bin/named/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.46.2.4.8.22 2005/05/20 01:37:19 marka Exp $ */
+/* $Id: os.c,v 1.46.2.4.8.24 2006/02/03 23:51:37 marka Exp $ */
 
 #include <config.h>
 #include <stdarg.h>
@@ -497,6 +497,13 @@ ns_os_changeuser(void) {
 #if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
 	linux_minprivs();
 #endif
+#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
+	/*
+	 * Restore the ability of named to drop core after the setuid()
+	 * call has disabled it.
+	 */
+	prctl(PR_SET_DUMPABLE,1,0,0,0);
+#endif
 }
 
 void
diff --git a/contrib/bind-9.3/bin/named/update.c b/contrib/bind-9.3/bin/named/update.c
index 6c2d7597f7..fa0ddb0104 100644
--- a/contrib/bind-9.3/bin/named/update.c
+++ b/contrib/bind-9.3/bin/named/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.88.2.5.2.27 2005/10/08 00:21:06 marka Exp $ */
+/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */
 
 #include <config.h>
 
@@ -36,6 +36,7 @@
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/soa.h>
 #include <dns/ssu.h>
@@ -1517,7 +1518,8 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
  */
 static isc_result_t
 add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
+	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
+	 dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1552,8 +1554,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 * Add the new NSEC and record the change.
 	 */
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   3600,	/* XXXRTH */
-				   &rdata, &tuple));
+				   nsecttl, &rdata, &tuple));
 	CHECK(do_one_tuple(&tuple, db, ver, diff));
 	INSIST(tuple == NULL);
 
@@ -1678,6 +1679,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	unsigned int nkeys = 0;
 	unsigned int i;
 	isc_stdtime_t now, inception, expire;
+	dns_ttl_t nsecttl;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -1698,6 +1704,20 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	inception = now - 3600; /* Allow for some clock skew. */
 	expire = now + sigvalidityinterval;
 
+	/*
+	 * Get the NSEC's TTL from the SOA MINIMUM field.
+	 */
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
+                                  (isc_stdtime_t) 0, &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+	nsecttl = soa.minimum;
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+
 	/*
 	 * Find all RRsets directly affected by the update, and
 	 * update their RRSIGs.  Also build a list of names affected
@@ -1901,8 +1921,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * there is other data, and if there is other data,
 			 * there are other RRSIGs.
 			 */
-			CHECK(add_nsec(client, zone, db, newver,
-				      &t->name, &nsec_diff));
+			CHECK(add_nsec(client, zone, db, newver, &t->name,
+				       nsecttl, &nsec_diff));
 		}
 	}
 
diff --git a/contrib/bind-9.3/bin/named/zoneconf.c b/contrib/bind-9.3/bin/named/zoneconf.c
index 41ce69d6a6..66ef9050c5 100644
--- a/contrib/bind-9.3/bin/named/zoneconf.c
+++ b/contrib/bind-9.3/bin/named/zoneconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.87.2.4.10.15 2005/09/06 02:12:39 marka Exp $ */
+/* $Id: zoneconf.c,v 1.87.2.4.10.19 2006/02/28 06:32:53 marka Exp $ */
 
 #include <config.h>
 
@@ -55,15 +55,15 @@
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
-configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
-		   const char *aclname, ns_aclconfctx_t *actx,
-		   dns_zone_t *zone, 
+configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+		   const cfg_obj_t *config, const char *aclname,
+		   ns_aclconfctx_t *actx, dns_zone_t *zone, 
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	cfg_obj_t *maps[4];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
 
@@ -72,7 +72,7 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -98,16 +98,18 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
-	cfg_obj_t *updatepolicy = NULL;
-	cfg_listelt_t *element, *element2;
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+	const cfg_obj_t *updatepolicy = NULL;
+	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
 	isc_mem_t *mctx = dns_zone_getmctx(zone);
 	isc_result_t result;
 
 	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
-	if (updatepolicy == NULL)
+	if (updatepolicy == NULL) {
+		dns_zone_setssutable(zone, NULL);
 		return (ISC_R_SUCCESS);
+	}
 
 	result = dns_ssutable_create(mctx, &table);
 	if (result != ISC_R_SUCCESS)
@@ -117,13 +119,13 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *stmt = cfg_listelt_value(element);
-		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-		char *str;
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
 		dns_fixedname_t fname, fident;
@@ -191,14 +193,14 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
 		{
-			cfg_obj_t *typeobj;
+			const cfg_obj_t *typeobj;
 			isc_textregion_t r;
 
 			INSIST(i < n);
 
 			typeobj = cfg_listelt_value(element2);
 			str = cfg_obj_asstring(typeobj);
-			r.base = str;
+			DE_CONST(str, r.base);
 			r.length = strlen(str);
 
 			result = dns_rdatatype_fromtext(&types[i++], &r);
@@ -237,8 +239,8 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
  * Convert a config file zone type into a server zone type.
  */
 static inline dns_zonetype_t
-zonetype_fromconfig(cfg_obj_t *map) {
-	cfg_obj_t *obj = NULL;
+zonetype_fromconfig(const cfg_obj_t *map) {
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = cfg_map_get(map, "type", &obj);
@@ -293,7 +295,9 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
 }
 
 static void
-checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
+checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
+	   const cfg_obj_t **objp)
+{
 	const char *zone = NULL;
 	isc_result_t result;
 
@@ -308,17 +312,18 @@ checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
 }
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone)
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  dns_zone_t *zone)
 {
 	isc_result_t result;
-	char *zname;
+	const char *zname;
 	dns_rdataclass_t zclass;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *maps[5];
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *obj;
+	const cfg_obj_t *maps[5];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj;
 	const char *filename = NULL;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	isc_sockaddr_t *addrs;
@@ -428,7 +433,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 		else
 			dialup = dns_dialuptype_no;
 	} else {
-		char *dialupstr = cfg_obj_asstring(obj);
+		const char *dialupstr = cfg_obj_asstring(obj);
 		if (strcasecmp(dialupstr, "notify") == 0)
 			dialup = dns_dialuptype_notify;
 		else if (strcasecmp(dialupstr, "notify-passive") == 0)
@@ -462,7 +467,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 			else
 				notifytype = dns_notifytype_no;
 		} else {
-			char *notifystr = cfg_obj_asstring(obj);
+			const char *notifystr = cfg_obj_asstring(obj);
 			if (strcasecmp(notifystr, "explicit") == 0)
 				notifytype = dns_notifytype_explicit;
 			else
@@ -612,6 +617,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 	switch (ztype) {
 	case dns_zone_slave:
 	case dns_zone_stub:
+		count = 0;
 		obj = NULL;
 		result = cfg_map_get(zoptions, "masters", &obj);
 		if (obj != NULL) {
@@ -715,9 +721,9 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 }
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *obj = NULL;
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
 	const char *zfilename;
 
diff --git a/contrib/bind-9.3/bin/nsupdate/nsupdate.8 b/contrib/bind-9.3/bin/nsupdate/nsupdate.8
index 602a55b183..7e254e0e2e 100644
--- a/contrib/bind-9.3/bin/nsupdate/nsupdate.8
+++ b/contrib/bind-9.3/bin/nsupdate/nsupdate.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.24.2.2.2.8 2005/10/13 02:33:48 marka Exp $
+.\" $Id: nsupdate.8,v 1.24.2.2.2.9 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nsupdate
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -30,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -79,7 +82,8 @@ reads the shared secret from the file
 must also be present. When the
 \fB\-y\fR
 option is used, a signature is generated from
-\fIkeyname:secret.\fR\fIkeyname\fR
+\fIkeyname:secret.\fR
+\fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
 is the base64 encoded shared secret. Use of the
@@ -123,7 +127,7 @@ Every update request consists of zero or more prerequisites and zero or more upd
 command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
 .PP
 The command formats and their meaning are as follows:
-.TP
+.TP 3n
 .HP 7 \fBserver\fR {servername} [port]
 Sends all dynamic update requests to the name server
 \fIservername\fR. When no server statement is provided,
@@ -133,7 +137,7 @@ will send updates to the master server of the correct zone. The MNAME field of t
 is the port number on
 \fIservername\fR
 where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.TP
+.TP 3n
 .HP 6 \fBlocal\fR {address} [port]
 Sends all dynamic update requests using the local
 \fIaddress\fR. When no local statement is provided,
@@ -141,7 +145,7 @@ Sends all dynamic update requests using the local
 will send updates using an address and port chosen by the system.
 \fIport\fR
 can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.TP
+.TP 3n
 .HP 5 \fBzone\fR {zonename}
 Specifies that all updates are to be made to the zone
 \fIzonename\fR. If no
@@ -149,32 +153,33 @@ Specifies that all updates are to be made to the zone
 statement is provided,
 \fBnsupdate\fR
 will attempt determine the correct zone to update based on the rest of the input.
-.TP
+.TP 3n
 .HP 6 \fBclass\fR {classname}
 Specify the default class. If no
 \fIclass\fR
 is specified the default class is
 \fIIN\fR.
-.TP
+.TP 3n
 .HP 4 \fBkey\fR {name} {secret}
 Specifies that all updates are to be TSIG signed using the
-\fIkeyname\fR\fIkeysecret\fR
+\fIkeyname\fR
+\fIkeysecret\fR
 pair. The
 \fBkey\fR
 command overrides any key specified on the command line via
 \fB\-y\fR
 or
 \fB\-k\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq nxdomain\fR {domain\-name}
 Requires that no resource record of any type exists with name
 \fIdomain\-name\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq yxdomain\fR {domain\-name}
 Requires that
 \fIdomain\-name\fR
 exists (has as at least one resource record, of any type).
-.TP
+.TP 3n
 .HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type}
 Requires that no resource record exists of the specified
 \fItype\fR,
@@ -183,7 +188,7 @@ and
 \fIdomain\-name\fR. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type}
 This requires that a resource record of the specified
 \fItype\fR,
@@ -193,7 +198,7 @@ and
 must exist. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
 The
 \fIdata\fR
@@ -207,7 +212,7 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of
 \fIdomain\-name\fR. The
 \fIdata\fR
 are written in the standard text representation of the resource record's RDATA.
-.TP
+.TP 3n
 .HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
 Deletes any resource records named
 \fIdomain\-name\fR. If
@@ -219,20 +224,20 @@ is provided, only matching resource records will be removed. The internet class
 is not supplied. The
 \fIttl\fR
 is ignored, and is only allowed for compatibility.
-.TP
+.TP 3n
 .HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
 Adds a new resource record with the specified
 \fIttl\fR,
 \fIclass\fR
 and
 \fIdata\fR.
-.TP
+.TP 3n
 .HP 5 \fBshow\fR
 Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.TP
+.TP 3n
 .HP 5 \fBsend\fR
 Sends the current message. This is equivalent to entering a blank line.
-.TP
+.TP 3n
 .HP 7 \fBanswer\fR
 Displays the answer.
 .PP
@@ -246,12 +251,14 @@ could be used to insert and delete resource records from the
 zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
 \fBexample.com\fR.
 .sp
+.RS 3n
 .nf
 # nsupdate
 > update delete oldhost.example.com A
 > update add newhost.example.com 86400 A 172.16.1.1
 > send
 .fi
+.RE
 .sp
 .PP
 Any A records for
@@ -260,25 +267,27 @@ are deleted. and an A record for
 \fBnewhost.example.com\fR
 it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
 .sp
+.RS 3n
 .nf
 # nsupdate
 > prereq nxdomain nickname.example.com
 > update add nickname.example.com 86400 CNAME somehost.example.com
 > send
 .fi
+.RE
 .sp
 .PP
 The prerequisite condition gets the name server to check that there are no resource records of any type for
 \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
-.TP
+.TP 3n
 \fB/etc/resolv.conf\fR
 used to identify default name server
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.key\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.private\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
@@ -296,3 +305,5 @@ base\-64 encoding of HMAC\-MD5 key created by
 .SH "BUGS"
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/nsupdate/nsupdate.c b/contrib/bind-9.3/bin/nsupdate/nsupdate.c
index 7c728b6db9..107d85f980 100644
--- a/contrib/bind-9.3/bin/nsupdate/nsupdate.c
+++ b/contrib/bind-9.3/bin/nsupdate/nsupdate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.103.2.15.2.20 2005/03/17 03:58:26 marka Exp $ */
+/* $Id: nsupdate.c,v 1.103.2.15.2.23 2006/06/09 07:29:24 marka Exp $ */
 
 #include <config.h>
 
@@ -1343,8 +1343,10 @@ get_next_command(void) {
 	char *word;
 
 	ddebug("get_next_command()");
-	if (interactive)
+	if (interactive) {
 		fprintf(stdout, "> ");
+		fflush(stdout);
+	}
 	isc_app_block();
 	cmdline = fgets(cmdlinebuf, MAXCMD, input);
 	isc_app_unblock();
@@ -1665,7 +1667,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		result = dns_request_createvia3(requestmgr, soaquery,
 						localaddr, addr, 0, NULL,
 						FIND_TIMEOUT * 20,
-						FIND_TIMEOUT * 20, 3,
+						FIND_TIMEOUT, 3,
 						global_task, recvsoa, reqinfo,
 						&request);
 		check_result(result, "dns_request_createvia");
diff --git a/contrib/bind-9.3/bin/nsupdate/nsupdate.html b/contrib/bind-9.3/bin/nsupdate/nsupdate.html
index 74ba2fbe27..4df8280ce8 100644
--- a/contrib/bind-9.3/bin/nsupdate/nsupdate.html
+++ b/contrib/bind-9.3/bin/nsupdate/nsupdate.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.9.2.3.2.12 2005/10/13 02:33:49 marka Exp $ -->
+<!-- $Id: nsupdate.html,v 1.9.2.3.2.15 2006/06/29 13:02:30 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>nsupdate &#8212; Dynamic DNS update utility</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525896"></a><h2>DESCRIPTION</h2>
+<a name="id2549461"></a><h2>DESCRIPTION</h2>
 <p>
 <span><strong class="command">nsupdate</strong></span>
 is used to submit Dynamic DNS Update requests as defined in RFC2136
@@ -160,7 +160,7 @@ and number of UDP retries.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526121"></a><h2>INPUT FORMAT</h2>
+<a name="id2549686"></a><h2>INPUT FORMAT</h2>
 <p>
 <span><strong class="command">nsupdate</strong></span>
 reads input from
@@ -317,7 +317,7 @@ are written in the standard text representation of the resource record's
 RDATA.
 </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">update delete</code>  {domain-name} [ttl] [class] [type  [data...]]</p></div>
+<div class="cmdsynopsis"><p><code class="command">update delete</code>  {domain-name} [ttl] [class] [type [data...]]</p></div>
 </span></dt>
 <dd><p>
 Deletes any resource records named
@@ -370,7 +370,7 @@ Lines beginning with a semicolon are comments and are ignored.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526749"></a><h2>EXAMPLES</h2>
+<a name="id2550382"></a><h2>EXAMPLES</h2>
 <p>
 The examples below show how
 <span><strong class="command">nsupdate</strong></span>
@@ -423,7 +423,7 @@ RRSIG, DNSKEY and NSEC records.)
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526793"></a><h2>FILES</h2>
+<a name="id2550426"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -442,7 +442,7 @@ base-64 encoding of HMAC-MD5 key created by
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525155"></a><h2>SEE ALSO</h2>
+<a name="id2549061"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
 <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
@@ -456,7 +456,7 @@ base-64 encoding of HMAC-MD5 key created by
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525226"></a><h2>BUGS</h2>
+<a name="id2549132"></a><h2>BUGS</h2>
 <p>
 The TSIG key is redundantly stored in two separate files.
 This is a consequence of nsupdate using the DST library
diff --git a/contrib/bind-9.3/bin/rndc/rndc-confgen.8 b/contrib/bind-9.3/bin/rndc/rndc-confgen.8
index b29f0095cc..c6a421879b 100644
--- a/contrib/bind-9.3/bin/rndc/rndc-confgen.8
+++ b/contrib/bind-9.3/bin/rndc/rndc-confgen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.3.2.5.2.7 2005/10/13 02:33:50 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.3.2.5.2.8 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc\-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Aug 27, 2001
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -53,7 +56,7 @@ file and a
 \fBcontrols\fR
 statement altogether.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Do automatic
 \fBrndc\fR
@@ -97,30 +100,30 @@ option and set up a
 and
 \fInamed.conf\fR
 as directed.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.TP
+.TP 3n
 \-c \fIkeyfile\fR
 Used with the
 \fB\-a\fR
 option to specify an alternate location for
 \fIrndc.key\fR.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBrndc\-confgen\fR.
-.TP
+.TP 3n
 \-k \fIkeyname\fR
 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
 \fBrndc\-key\fR.
-.TP
+.TP 3n
 \-p \fIport\fR
 Specifies the command channel port where
 \fBnamed\fR
 listens for connections from
 \fBrndc\fR. The default is 953.
-.TP
+.TP 3n
 \-r \fIrandomfile\fR
 Specifies a source of random data for generating the authorization. If the operating system does not provide a
 \fI/dev/random\fR
@@ -129,13 +132,13 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIaddress\fR
 Specifies the IP address where
 \fBnamed\fR
 listens for command channel connections from
 \fBrndc\fR. The default is the loopback address 127.0.0.1.
-.TP
+.TP 3n
 \-t \fIchrootdir\fR
 Used with the
 \fB\-a\fR
@@ -145,7 +148,7 @@ will run chrooted. An additional copy of the
 \fIrndc.key\fR
 will be written relative to this directory so that it will be found by the chrooted
 \fBnamed\fR.
-.TP
+.TP 3n
 \-u \fIuser\fR
 Used with the
 \fB\-a\fR
@@ -181,3 +184,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/rndc/rndc-confgen.html b/contrib/bind-9.3/bin/rndc/rndc-confgen.html
index ca75400841..058cd56d16 100644
--- a/contrib/bind-9.3/bin/rndc/rndc-confgen.html
+++ b/contrib/bind-9.3/bin/rndc/rndc-confgen.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.11 2005/10/13 02:33:51 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.13 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525911"></a><h2>DESCRIPTION</h2>
+<a name="id2549476"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">rndc-confgen</strong></span> generates configuration files
 	for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -48,7 +48,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525957"></a><h2>OPTIONS</h2>
+<a name="id2549522"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -57,7 +57,7 @@
 	      This creates a file <code class="filename">rndc.key</code>
 	      in <code class="filename">/etc</code> (or whatever
               <code class="varname">sysconfdir</code>
-	      was specified as when <span class="acronym">BIND</span> was built)
+	      was specified as when <acronym class="acronym">BIND</acronym> was built)
               that is read by both <span><strong class="command">rndc</strong></span>
               and <span><strong class="command">named</strong></span> on startup.  The
 	      <code class="filename">rndc.key</code> file defines a default
@@ -148,7 +148,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526270"></a><h2>EXAMPLES</h2>
+<a name="id2549972"></a><h2>EXAMPLES</h2>
 <p>
         To allow <span><strong class="command">rndc</strong></span> to be used with
 	no manual configuration, run
@@ -167,7 +167,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526314"></a><h2>SEE ALSO</h2>
+<a name="id2550016"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
@@ -176,7 +176,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526357"></a><h2>AUTHOR</h2>
+<a name="id2550058"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/rndc/rndc.8 b/contrib/bind-9.3/bin/rndc/rndc.8
index fba5529e40..04bd133f37 100644
--- a/contrib/bind-9.3/bin/rndc/rndc.8
+++ b/contrib/bind-9.3/bin/rndc/rndc.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.24.206.5 2005/10/13 02:33:49 marka Exp $
+.\" $Id: rndc.8,v 1.24.206.6 2006/06/29 13:02:30 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -50,13 +53,13 @@ named the only supported authentication algorithm is HMAC\-MD5, which uses a sha
 \fBrndc\fR
 reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/rndc.conf\fR.
-.TP
+.TP 3n
 \-k \fIkey\-file\fR
 Use
 \fIkey\-file\fR
@@ -66,20 +69,20 @@ as the key file instead of the default,
 will be used to authenticate commands sent to the server if the
 \fIconfig\-file\fR
 does not exist.
-.TP
+.TP 3n
 \-s \fIserver\fR
 \fIserver\fR
 is the name or address of the server which matches a server statement in the configuration file for
 \fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send commands to TCP port
 \fIport\fR
 instead of BIND 9's default control channel port, 953.
-.TP
+.TP 3n
 \-V
 Enable verbose logging.
-.TP
+.TP 3n
 \-y \fIkeyid\fR
 Use the key
 \fIkeyid\fR
@@ -111,8 +114,11 @@ Several error messages could be clearer.
 .PP
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-\fBnamed.conf\fR(5)\fBndc\fR(8),
+\fBnamed.conf\fR(5)
+\fBndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/rndc/rndc.c b/contrib/bind-9.3/bin/rndc/rndc.c
index 63e8f23b9f..a5e912ddfd 100644
--- a/contrib/bind-9.3/bin/rndc/rndc.c
+++ b/contrib/bind-9.3/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.77.2.5.2.15 2005/03/17 03:58:27 marka Exp $ */
+/* $Id: rndc.c,v 1.77.2.5.2.19 2006/08/04 03:03:08 marka Exp $ */
 
 /*
  * Principal Author: DCL
@@ -154,6 +154,11 @@ rndc_senddone(isc_task_t *task, isc_event_t *event) {
 	if (sevent->result != ISC_R_SUCCESS)
 		fatal("send failed: %s", isc_result_totext(sevent->result));
 	isc_event_free(&event);
+	if (sends == 0 && recvs == 0) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+	}
 }
 
 static void
@@ -204,9 +209,11 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 
 	isc_event_free(&event);
 	isccc_sexpr_free(&response);
-	isc_socket_detach(&sock);
-	isc_task_shutdown(task);
-	RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+	if (sends == 0 && recvs == 0) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+	}
 }
 
 static void
@@ -288,6 +295,7 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 
 static void
 rndc_connected(isc_task_t *task, isc_event_t *event) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 	isccc_sexpr_t *request = NULL;
 	isccc_sexpr_t *data;
@@ -301,17 +309,19 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 	connects--;
 
 	if (sevent->result != ISC_R_SUCCESS) {
+		isc_sockaddr_format(&serveraddrs[currentaddr], socktext,
+				    sizeof(socktext));
 		if (sevent->result != ISC_R_CANCELED &&
-		    currentaddr < nserveraddrs)
+		    ++currentaddr < nserveraddrs)
 		{
-			notify("connection failed: %s",
+			notify("connection failed: %s: %s", socktext,
 			       isc_result_totext(sevent->result));
 			isc_socket_detach(&sock);
 			isc_event_free(&event);
-			rndc_startconnect(&serveraddrs[currentaddr++], task);
+			rndc_startconnect(&serveraddrs[currentaddr], task);
 			return;
 		} else
-			fatal("connect failed: %s",
+			fatal("connect failed: %s: %s", socktext,
 			      isc_result_totext(sevent->result));
 	}
 
@@ -369,7 +379,7 @@ rndc_start(isc_task_t *task, isc_event_t *event) {
 	get_addresses(servername, (in_port_t) remoteport);
 
 	currentaddr = 0;
-	rndc_startconnect(&serveraddrs[currentaddr++], task);
+	rndc_startconnect(&serveraddrs[currentaddr], task);
 }
 
 static void
@@ -378,17 +388,17 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 {
 	isc_result_t result;
 	const char *conffile = admin_conffile;
-	cfg_obj_t *defkey = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *server = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *defport = NULL;
-	cfg_obj_t *secretobj = NULL;
-	cfg_obj_t *algorithmobj = NULL;
+	const cfg_obj_t *defkey = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *server = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *defport = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_listelt_t *elt;
+	const cfg_listelt_t *elt;
 	const char *secretstr;
 	const char *algorithm;
 	static char secretarray[1024];
@@ -420,7 +430,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	if (key_only && servername == NULL)
 		servername = "127.0.0.1";
 	else if (servername == NULL && options != NULL) {
-		cfg_obj_t *defserverobj = NULL;
+		const cfg_obj_t *defserverobj = NULL;
 		(void)cfg_map_get(options, "default-server", &defserverobj);
 		if (defserverobj != NULL)
 			servername = cfg_obj_asstring(defserverobj);
diff --git a/contrib/bind-9.3/bin/rndc/rndc.conf.5 b/contrib/bind-9.3/bin/rndc/rndc.conf.5
index 1c21e363d6..3a06a44cd0 100644
--- a/contrib/bind-9.3/bin/rndc/rndc.conf.5
+++ b/contrib/bind-9.3/bin/rndc/rndc.conf.5
@@ -13,15 +13,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.21.206.5 2005/10/13 02:33:50 marka Exp $
+.\" $Id: rndc.conf.5,v 1.21.206.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FIRNDC.CONF\\FR" "5" "June 30, 2000" "BIND9" "BIND9"
+.\"     Title: \fIrndc.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -98,6 +101,7 @@ program, also known as
 does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
 .SH "EXAMPLE"
 .sp
+.RS 3n
 .nf
     options {
         default\-server  localhost;
@@ -111,6 +115,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
         secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
       };
 .fi
+.RE
 .PP
 In the above example,
 \fBrndc\fR
@@ -152,3 +157,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/bin/rndc/rndc.conf.html b/contrib/bind-9.3/bin/rndc/rndc.conf.html
index 05db0eca64..fefe616d8d 100644
--- a/contrib/bind-9.3/bin/rndc/rndc.conf.html
+++ b/contrib/bind-9.3/bin/rndc/rndc.conf.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.5.2.1.4.10 2005/10/13 02:33:51 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.5.2.1.4.13 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525833"></a><h2>DESCRIPTION</h2>
+<a name="id2549398"></a><h2>DESCRIPTION</h2>
 <p>
         <code class="filename">rndc.conf</code> is the configuration file
 	for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
@@ -105,7 +105,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525968"></a><h2>EXAMPLE</h2>
+<a name="id2549601"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
     options {
         default-server  localhost;
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526028"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2549730"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
         The name server must be configured to accept rndc connections and
 	to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -161,7 +161,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526049"></a><h2>SEE ALSO</h2>
+<a name="id2549750"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
@@ -170,7 +170,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526091"></a><h2>AUTHOR</h2>
+<a name="id2549793"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/bin/rndc/rndc.html b/contrib/bind-9.3/bin/rndc/rndc.html
index d23f4682c0..4dfd318814 100644
--- a/contrib/bind-9.3/bin/rndc/rndc.html
+++ b/contrib/bind-9.3/bin/rndc/rndc.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.html,v 1.7.2.1.4.10 2005/10/13 02:33:50 marka Exp $ -->
+<!-- $Id: rndc.html,v 1.7.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc</span> &#8212; name server control utility</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525886"></a><h2>DESCRIPTION</h2>
+<a name="id2549451"></a><h2>DESCRIPTION</h2>
 <p>
         <span><strong class="command">rndc</strong></span> controls the operation of a name
 	server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525927"></a><h2>OPTIONS</h2>
+<a name="id2549492"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
@@ -123,7 +123,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526109"></a><h2>LIMITATIONS</h2>
+<a name="id2549811"></a><h2>LIMITATIONS</h2>
 <p>
         <span><strong class="command">rndc</strong></span> does not yet support all the commands of
 	the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -137,7 +137,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526138"></a><h2>SEE ALSO</h2>
+<a name="id2549840"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -147,7 +147,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526190"></a><h2>AUTHOR</h2>
+<a name="id2549892"></a><h2>AUTHOR</h2>
 <p>
         <span class="corpauthor">Internet Systems Consortium</span>
     </p>
diff --git a/contrib/bind-9.3/lib/bind/api b/contrib/bind-9.3/lib/bind/api
index dcc846ea52..8632b1256a 100644
--- a/contrib/bind-9.3/lib/bind/api
+++ b/contrib/bind-9.3/lib/bind/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 4
-LIBREVISION = 2
+LIBREVISION = 7
 LIBAGE = 0
diff --git a/contrib/bind-9.3/lib/bind/config.h.in b/contrib/bind-9.3/lib/bind/config.h.in
index 82a1560d1f..c4d88d347e 100644
--- a/contrib/bind-9.3/lib/bind/config.h.in
+++ b/contrib/bind-9.3/lib/bind/config.h.in
@@ -4,6 +4,7 @@
 #undef HAVE_INTTYPES_H
 #undef HAVE_STROPTS_H
 #undef HAVE_SYS_TIMERS_H
+#undef HAVE_SYS_SELECT_H
 #undef SYS_CDEFS_H
 #undef _POSIX_PTHREAD_SEMANTICS
 #undef POSIX_GETPWUID_R
diff --git a/contrib/bind-9.3/lib/bind/dst/dst_api.c b/contrib/bind-9.3/lib/bind/dst/dst_api.c
index 51dfd0b891..417c31f8cf 100644
--- a/contrib/bind-9.3/lib/bind/dst/dst_api.c
+++ b/contrib/bind-9.3/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.3 2005/10/11 00:48:14 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.4 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /*
@@ -170,6 +170,10 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 
 	memset(new_key, 0, sizeof(*new_key));
 	new_key->dk_key_name = strdup(name);
+	if (new_key->dk_key_name == NULL) {
+		free(new_key);
+		return (NULL);
+	}
 	new_key->dk_alg = alg;
 	new_key->dk_flags = flags;
 	new_key->dk_proto = protocol;
@@ -655,11 +659,13 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 			 alg));
 		return (NULL);
 	}
-	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
-		return (NULL);
 
 	if (in_name == NULL)
 		return (NULL);
+
+	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
+		return (NULL);
+
 	key_st->dk_id = dst_s_dns_key_id(rdata, len);
 	key_st->dk_flags = dst_s_get_int16(rdata);
 	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
@@ -772,13 +778,11 @@ dst_buffer_to_key(const char *key_name,		/* name of the key */
 		return (NULL);
 	}
 
-	dkey = dst_s_get_key_struct(key_name, alg, flags, 
-					     protocol, -1);
+	dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);
 
-	if (dkey == NULL)
-		return (NULL);
-	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
-		return NULL;
+	if (dkey == NULL || dkey->dk_func == NULL ||
+	    dkey->dk_func->from_dns_key == NULL) 
+		return (dst_free_key(dkey));
 
 	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
 		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
@@ -1013,7 +1017,6 @@ dst_free_key(DST_KEY *f_key)
 	else {
 		EREPORT(("dst_free_key(): Unknown key alg %d\n",
 			 f_key->dk_alg));
-		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
 	}
 	if (f_key->dk_KEY_struct) {
 		free(f_key->dk_KEY_struct);
diff --git a/contrib/bind-9.3/lib/bind/dst/hmac_link.c b/contrib/bind-9.3/lib/bind/dst/hmac_link.c
index aa66c80ec0..028f02e96a 100644
--- a/contrib/bind-9.3/lib/bind/dst/hmac_link.c
+++ b/contrib/bind-9.3/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.1 2005/07/28 07:43:16 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.2 2006/03/10 00:17:21 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -93,6 +93,9 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	int sign_len = 0;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -100,8 +103,6 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 
 	if (mode & SIG_MODE_INIT) {
@@ -160,6 +161,9 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	HMAC_Key *key;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -167,9 +171,6 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 	if (mode & SIG_MODE_INIT) {
 		MD5Init(ctx);
@@ -272,7 +273,7 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
 
 static int
 dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
-			    const int buff_len)
+			        const int buff_len)
 {
 	char *bp;
 	int len, b_len, i, key_len;
@@ -289,7 +290,7 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	/* write file header */
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
-	bp = (char *) strchr(buff, '\0');
+	bp = buff + strlen(buff);
 	b_len = buff_len - (bp - buff);
 
 	memset(key, 0, HMAC_LEN);
@@ -334,9 +335,9 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 {
 	const char *p = buff, *eol;
 	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
-							 * it should probably be fixed rather than doing
-							 * this
-							 */
+				 * it should probably be fixed rather than doing
+				 * this
+				 */
 	u_char *tmp;
 	int key_len, len;
 
@@ -355,6 +356,8 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 		return (-4);
 	len = eol - p;
 	tmp = malloc(len + 2);
+	if (tmp == NULL)
+		return (-5);
 	memcpy(tmp, p, len);
 	*(tmp + len) = 0x0;
 	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
diff --git a/contrib/bind-9.3/lib/bind/include/arpa/nameser_compat.h b/contrib/bind-9.3/lib/bind/include/arpa/nameser_compat.h
index 464f12e13a..4460261b7b 100644
--- a/contrib/bind-9.3/lib/bind/include/arpa/nameser_compat.h
+++ b/contrib/bind-9.3/lib/bind/include/arpa/nameser_compat.h
@@ -32,7 +32,7 @@
 
 /*
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.1.2.3.4.2 2004/07/01 04:43:41 marka Exp $
+ *	$Id: nameser_compat.h,v 1.1.2.3.4.3 2006/05/19 02:38:15 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
@@ -52,8 +52,9 @@
 #define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
 
 #if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
-    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
-    defined(__alpha__) || defined(__alpha) || \
+    defined(__i386__) || defined(__i386) || defined(__amd64__) || \
+    defined(__x86_64__) || defined(MIPSEL) || defined(_MIPSEL) || \
+    defined(BIT_ZERO_ON_RIGHT) || defined(__alpha__) || defined(__alpha) || \
     (defined(__Lynx__) && defined(__x86__))
 #define BYTE_ORDER	LITTLE_ENDIAN
 #endif
diff --git a/contrib/bind-9.3/lib/bind/include/isc/list.h b/contrib/bind-9.3/lib/bind/include/isc/list.h
index ad574ac2b5..4e27eb19ba 100644
--- a/contrib/bind-9.3/lib/bind/include/isc/list.h
+++ b/contrib/bind-9.3/lib/bind/include/isc/list.h
@@ -66,12 +66,16 @@
 		INSIST(LINKED(elt, link));\
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		INIT_LINK_TYPE(elt, link, type); \
 	} while (0)
 #define UNLINK(list, elt, link) \
diff --git a/contrib/bind-9.3/lib/bind/include/netdb.h b/contrib/bind-9.3/lib/bind/include/netdb.h
index 48a382941c..11ee8a548b 100644
--- a/contrib/bind-9.3/lib/bind/include/netdb.h
+++ b/contrib/bind-9.3/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.12.2.1.4.5 2004/11/30 01:15:42 marka Exp $
+ *	$Id: netdb.h,v 1.12.2.1.4.9 2006/10/02 01:20:30 marka Exp $
  */
 
 #ifndef _NETDB_H_
@@ -175,7 +175,7 @@ struct	addrinfo {
 	int		ai_socktype;	/* SOCK_xxx */
 	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
 #if defined(sun) && defined(_SOCKLEN_T)
-#ifdef __sparc9
+#ifdef __sparcv9
 	int		_ai_pad;
 #endif
 	socklen_t	ai_addrlen;
@@ -291,7 +291,7 @@ struct hostent_data {
 
 struct  netent_data {
 	FILE	*net_fp;
-#ifdef __osf__
+#if defined(__osf__) || defined(_AIX)
 	char	line[_MAXLINELEN];
 #endif
 #ifdef __hpux
@@ -308,10 +308,21 @@ struct  netent_data {
 	char	*current;
 	int	currentlen;
 #endif
+#ifdef _AIX
+        int     _net_stayopen;
+        char    *current;
+        int     currentlen;
+        void    *_net_reserv1;          /* reserved for future use */
+        void    *_net_reserv2;          /* reserved for future use */
+#endif
 };
 
 struct	protoent_data {
 	FILE	*proto_fp;
+#ifdef _AIX
+	int     _proto_stayopen;
+	char	line[_MAXLINELEN];
+#endif
 #ifdef __osf__
 	char	line[1024];
 #endif
@@ -329,11 +340,17 @@ struct	protoent_data {
 	char	*current;
 	int	currentlen;
 #endif
+#ifdef _AIX
+        int     currentlen;
+        char    *current;
+        void    *_proto_reserv1;        /* reserved for future use */
+        void    *_proto_reserv2;        /* reserved for future use */
+#endif
 };
 
 struct	servent_data {
 	FILE	*serv_fp;
-#ifdef __osf__
+#if defined(__osf__) || defined(_AIX)
 	char	line[_MAXLINELEN];
 #endif
 #ifdef __hpux
@@ -350,6 +367,13 @@ struct	servent_data {
 	char	*current;
 	int	currentlen;
 #endif
+#ifdef _AIX
+	int     _serv_stayopen;
+	char     *current;
+	int     currentlen;
+	void    *_serv_reserv1;         /* reserved for future use */
+	void    *_serv_reserv2;         /* reserved for future use */
+#endif
 };
 #endif
 #endif
@@ -457,9 +481,19 @@ int		endservent_r __P((struct servent_data *));
 #else
 void		endservent_r __P((struct servent_data *));
 #endif
+#ifdef _AIX
+int		setnetgrent_r __P((const char *, void **));
+void		endnetgrent_r __P((void **));
+/*
+ * Note: AIX's netdb.h declares innetgr_r() as: 
+ *	int innetgr_r(char *, char *, char *, char *, struct innetgr_data *);
+ */
+int		innetgr_r __P((const char *, const char *, const char *,
+			       const char *));
+#endif
 #else
  /* defined(sun) || defined(bsdi) */
-#ifdef __GLIBC__
+#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
 int gethostbyaddr_r __P((const char *, int, int, struct hostent *,
 		         char *, size_t, struct hostent **, int *));
 int gethostbyname_r __P((const char *, struct hostent *,
@@ -476,7 +510,7 @@ struct hostent	*gethostent_r __P((struct hostent *, char *, int, int *));
 void		sethostent_r __P((int));
 void		endhostent_r __P((void));
 
-#ifdef __GLIBC__
+#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
 int getnetbyname_r __P((const char *, struct netent *,
 			char *, size_t, struct netent **, int*));
 int getnetbyaddr_r __P((unsigned long int, int, struct netent *,
@@ -492,7 +526,7 @@ struct netent	*getnetent_r __P((struct netent *, char *, int));
 void		setnetent_r __P((int));
 void		endnetent_r __P((void));
 
-#ifdef __GLIBC__
+#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
 int getprotobyname_r __P((const char *, struct protoent *, char *,
 			  size_t, struct protoent **));
 int getprotobynumber_r __P((int, struct protoent *, char *, size_t,
@@ -508,7 +542,7 @@ struct protoent	*getprotoent_r __P((struct protoent *, char *, int));
 void		setprotoent_r __P((int));
 void		endprotoent_r __P((void));
 
-#ifdef __GLIBC__
+#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
 int getservbyname_r __P((const char *name, const char *,
 			 struct servent *, char *, size_t, struct servent **));
 int getservbyport_r __P((int port, const char *,
@@ -527,9 +561,6 @@ void		endservent_r __P((void));
 #ifdef __GLIBC__
 int		getnetgrent_r __P((char **, char **, char **, char *, size_t));
 #endif
-#ifdef _AIX
-int		setnetgrent_r __P((char *, void **));
-#endif
 
 #endif
 #endif
diff --git a/contrib/bind-9.3/lib/bind/inet/inet_cidr_ntop.c b/contrib/bind-9.3/lib/bind/inet/inet_cidr_ntop.c
index 192cf1e752..b25dc8256f 100644
--- a/contrib/bind-9.3/lib/bind/inet/inet_cidr_ntop.c
+++ b/contrib/bind-9.3/lib/bind/inet/inet_cidr_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.3 2005/11/03 23:08:40 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.4 2006/10/11 02:32:50 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -40,10 +40,10 @@ static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.3 2005/11/03 23:0
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-static char *	inet_cidr_ntop_ipv4 __P((const u_char *src, int bits,
-					 char *dst, size_t size));
-static char *	inet_cidr_ntop_ipv6 __P((const u_char *src, int bits,
-					 char *dst, size_t size));
+static char *
+inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size);
+static char *
+inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size);
 
 /*
  * char *
diff --git a/contrib/bind-9.3/lib/bind/inet/inet_net_ntop.c b/contrib/bind-9.3/lib/bind/inet/inet_net_ntop.c
index f508629d61..47af6284ed 100644
--- a/contrib/bind-9.3/lib/bind/inet/inet_net_ntop.c
+++ b/contrib/bind-9.3/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:32 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.2 2006/06/20 02:53:07 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -264,7 +264,7 @@ inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 		}
 	}
 	/* Format CIDR /width. */
-	SPRINTF((cp, "/%u", bits));
+	sprintf(cp, "/%u", bits);
 	if (strlen(outbuf) + 1 > size)
 		goto emsgsize;
 	strcpy(dst, outbuf);
diff --git a/contrib/bind-9.3/lib/bind/irs/dns.c b/contrib/bind-9.3/lib/bind/irs/dns.c
index ab83b3e4a4..27529b5650 100644
--- a/contrib/bind-9.3/lib/bind/irs/dns.c
+++ b/contrib/bind-9.3/lib/bind/irs/dns.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.1.206.2 2004/03/17 00:29:47 marka Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /*
@@ -114,7 +114,7 @@ dns_res_get(struct irs_acc *this) {
 		res = (struct __res_state *)malloc(sizeof *res);
 		if (res == NULL)
 			return (NULL);
-		memset(dns->res, 0, sizeof *dns->res);
+		memset(res, 0, sizeof *res);
 		dns_res_set(this, res, free);
 	}
 
diff --git a/contrib/bind-9.3/lib/bind/irs/dns_ho.c b/contrib/bind-9.3/lib/bind/irs/dns_ho.c
index e8da61a0c1..192be042e0 100644
--- a/contrib/bind-9.3/lib/bind/irs/dns_ho.c
+++ b/contrib/bind-9.3/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.6 2005/10/11 00:48:14 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.8 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -218,8 +218,7 @@ ho_close(struct irs_ho *this) {
 	ho_minimize(this);
 	if (pvt->res && pvt->free_res)
 		(*pvt->free_res)(pvt->res);
-	if (pvt)
-		memput(pvt, sizeof *pvt);
+	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
 
@@ -260,7 +259,7 @@ ho_byname2(struct irs_ho *this, const char *name, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
+	memset(q, 0, sizeof(*q));
 
 	switch (af) {
 	case AF_INET:
@@ -352,8 +351,8 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q));
+	memset(q2, 0, sizeof(*q2));
 
 	if (af == AF_INET6 && len == IN6ADDRSZ &&
 	    (!memcmp(uaddr, mapped, sizeof mapped) ||
@@ -578,8 +577,8 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q2));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q2));
+	memset(q2, 0, sizeof(*q2));
 
 	switch (pai->ai_family) {
 	case AF_UNSPEC:
@@ -649,10 +648,9 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		if (ai) {
 			querystate = RESQRY_SUCCESS;
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
-		}
-		else
+		} else
 			querystate = RESQRY_FAIL;
 	}
 
@@ -948,7 +946,7 @@ gethostans(struct irs_ho *this,
 				continue;
 			}
 			if (ret_aip) { /* need addrinfo. keep it. */
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else if (cur->ai_next) { /* need hostent */
 				struct addrinfo *aip = cur->ai_next;
diff --git a/contrib/bind-9.3/lib/bind/irs/gai_strerror.c b/contrib/bind-9.3/lib/bind/irs/gai_strerror.c
index 6aeaaa1910..0492f8f49a 100644
--- a/contrib/bind-9.3/lib/bind/irs/gai_strerror.c
+++ b/contrib/bind-9.3/lib/bind/irs/gai_strerror.c
@@ -66,18 +66,26 @@ gai_strerror(int ecode) {
 
 #ifdef DO_PTHREADS
         if (!once) {
-                pthread_mutex_lock(&lock);
-                if (!once++)
-                        pthread_key_create(&key, free);
-                pthread_mutex_unlock(&lock);
+                if (pthread_mutex_lock(&lock) != 0)
+			goto unknown;
+                if (!once) {
+                        if (pthread_key_create(&key, free) != 0)
+				goto unknown;
+			once = 1;
+		}
+                if (pthread_mutex_unlock(&lock) != 0)
+			goto unknown;
         }
 
 	buf = pthread_getspecific(key);
         if (buf == NULL) {
 		buf = malloc(EAI_BUFSIZE);
                 if (buf == NULL)
-                        return ("unknown error");
-                pthread_setspecific(key, buf);
+                        goto unknown;
+                if (pthread_setspecific(key, buf) != 0) {
+			free(buf);
+			goto unknown;
+		}
         }
 #endif
 	/* 
@@ -86,4 +94,9 @@ gai_strerror(int ecode) {
 	 */
 	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
 	return (buf);
+
+#ifdef DO_PTHREADS
+ unknown:
+	return ("unknown error");
+#endif
 }
diff --git a/contrib/bind-9.3/lib/bind/irs/gen_ho.c b/contrib/bind-9.3/lib/bind/irs/gen_ho.c
index e9e2c89097..f17aa2238f 100644
--- a/contrib/bind-9.3/lib/bind/irs/gen_ho.c
+++ b/contrib/bind-9.3/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.2 2004/03/17 01:49:39 marka Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -371,8 +371,6 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	}
 	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
 		RES_SET_H_ERRNO(pvt->res, therrno);
-	if (rval)
-		freeaddrinfo(rval);
 	return (NULL);
 }
 
diff --git a/contrib/bind-9.3/lib/bind/irs/getaddrinfo.c b/contrib/bind-9.3/lib/bind/irs/getaddrinfo.c
index 4f741a8e7d..c8d1ab3b79 100644
--- a/contrib/bind-9.3/lib/bind/irs/getaddrinfo.c
+++ b/contrib/bind-9.3/lib/bind/irs/getaddrinfo.c
@@ -245,7 +245,7 @@ do { \
 } while (/*CONSTCOND*/0)
 
 #ifndef SOLARIS2
-#define ERR(err) \
+#define SETERROR(err) \
 do { \
 	/* external reference: error, and label bad */ \
 	error = (err); \
@@ -253,7 +253,7 @@ do { \
 	/*NOTREACHED*/ \
 } while (/*CONSTCOND*/0)
 #else
-#define ERR(err) \
+#define SETERROR(err) \
 do { \
 	/* external reference: error, and label bad */ \
 	error = (err); \
@@ -332,7 +332,7 @@ getaddrinfo(hostname, servname, hints, res)
 	pai->ai_family = PF_UNSPEC;
 	pai->ai_socktype = ANY;
 	pai->ai_protocol = ANY;
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 	/*
 	 * clear _ai_pad to preserve binary
 	 * compatibility with previously compiled 64-bit
@@ -340,7 +340,7 @@ getaddrinfo(hostname, servname, hints, res)
 	 * guaranteeing the upper 32-bits are empty.
 	 */
 	pai->_ai_pad = 0;
-#endif /* __sparcv9 */
+#endif
 	pai->ai_addrlen = 0;
 	pai->ai_canonname = NULL;
 	pai->ai_addr = NULL;
@@ -352,20 +352,20 @@ getaddrinfo(hostname, servname, hints, res)
 		/* error check for hints */
 		if (hints->ai_addrlen || hints->ai_canonname ||
 		    hints->ai_addr || hints->ai_next)
-			ERR(EAI_BADHINTS); /* xxx */
+			SETERROR(EAI_BADHINTS); /* xxx */
 		if (hints->ai_flags & ~AI_MASK)
-			ERR(EAI_BADFLAGS);
+			SETERROR(EAI_BADFLAGS);
 		switch (hints->ai_family) {
 		case PF_UNSPEC:
 		case PF_INET:
 		case PF_INET6:
 			break;
 		default:
-			ERR(EAI_FAMILY);
+			SETERROR(EAI_FAMILY);
 		}
 		memcpy(pai, hints, sizeof(*pai));
 
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 		/*
 		 * We need to clear _ai_pad to preserve binary
 		 * compatibility.  See prior comment.
@@ -386,7 +386,7 @@ getaddrinfo(hostname, servname, hints, res)
 					continue;
 				if (pai->ai_socktype == ex->e_socktype &&
 				    pai->ai_protocol != ex->e_protocol) {
-					ERR(EAI_BADHINTS);
+					SETERROR(EAI_BADHINTS);
 				}
 			}
 		}
@@ -406,7 +406,7 @@ getaddrinfo(hostname, servname, hints, res)
 	case AI_ALL:
 #if 1
 		/* illegal */
-		ERR(EAI_BADFLAGS);
+		SETERROR(EAI_BADFLAGS);
 #else
 		pai->ai_flags &= ~(AI_ALL | AI_V4MAPPED);
 		break;
@@ -434,7 +434,7 @@ getaddrinfo(hostname, servname, hints, res)
 		}
 		error = get_portmatch(pai, servname);
 		if (error)
-			ERR(error);
+			SETERROR(error);
 
 		*pai = ai0;
 	}
@@ -493,9 +493,9 @@ getaddrinfo(hostname, servname, hints, res)
 		goto good;
 
 	if (pai->ai_flags & AI_NUMERICHOST)
-		ERR(EAI_NONAME);
+		SETERROR(EAI_NONAME);
 	if (hostname == NULL)
-		ERR(EAI_NONAME);
+		SETERROR(EAI_NONAME);
 
 	/*
 	 * hostname as alphabetical name.
@@ -576,10 +576,6 @@ getaddrinfo(hostname, servname, hints, res)
 
 	freeaddrinfo(afai);	/* afai must not be NULL at this point. */
 
-	/* we must not have got any errors. */
-	if (error != 0) /* just for diagnosis */
-		abort();
-
 	if (sentinel.ai_next) {
 good:
 		*res = sentinel.ai_next;
@@ -804,10 +800,10 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
-				ERR(EAI_FAMILY);	/*xxx*/
+				SETERROR(EAI_FAMILY);	/*xxx*/
 		}
 		break;
 #endif
@@ -817,10 +813,10 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
-				ERR(EAI_FAMILY);	/*xxx*/
+				SETERROR(EAI_FAMILY);	/*xxx*/
 		}
 		break;
 	}
@@ -1202,7 +1198,7 @@ hostent2addrinfo(hp, pai)
 			 */
 			GET_CANONNAME(cur->ai_next, hp->h_name);
 		}
-		while (cur && cur->ai_next) /* no need to loop, actually. */
+		while (cur->ai_next) /* no need to loop, actually. */
 			cur = cur->ai_next;
 		continue;
 
diff --git a/contrib/bind-9.3/lib/bind/irs/gethostent.c b/contrib/bind-9.3/lib/bind/irs/gethostent.c
index b471c529e0..cfea501fd8 100644
--- a/contrib/bind-9.3/lib/bind/irs/gethostent.c
+++ b/contrib/bind-9.3/lib/bind/irs/gethostent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.2 2004/03/17 01:49:40 marka Exp $";
+static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.3 2006/01/10 05:09:16 marka Exp $";
 #endif
 
 /* Imports */
@@ -608,7 +608,7 @@ scan_interfaces6(int *have_v4, int *have_v6) {
 }
 #endif
 
-#ifdef __linux
+#if ( defined(__linux__) || defined(__linux) || defined(LINUX) )
 #ifndef IF_NAMESIZE
 # ifdef IFNAMSIZ
 #  define IF_NAMESIZE  IFNAMSIZ
diff --git a/contrib/bind-9.3/lib/bind/irs/getnameinfo.c b/contrib/bind-9.3/lib/bind/irs/getnameinfo.c
index 5947c03898..d6d89f3efe 100644
--- a/contrib/bind-9.3/lib/bind/irs/getnameinfo.c
+++ b/contrib/bind-9.3/lib/bind/irs/getnameinfo.c
@@ -3,6 +3,16 @@
  * - Thread safe-ness must be checked
  */
 
+#if ( defined(__linux__) || defined(__linux) || defined(LINUX) )
+#ifndef IF_NAMESIZE
+# ifdef IFNAMSIZ
+#  define IF_NAMESIZE  IFNAMSIZ
+# else
+#  define IF_NAMESIZE 16
+# endif
+#endif
+#endif
+
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
diff --git a/contrib/bind-9.3/lib/bind/irs/getprotoent_r.c b/contrib/bind-9.3/lib/bind/irs/getprotoent_r.c
index 96bb4e323d..58d0ec9e22 100644
--- a/contrib/bind-9.3/lib/bind/irs/getprotoent_r.c
+++ b/contrib/bind-9.3/lib/bind/irs/getprotoent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.2 2006/08/01 01:19:28 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -109,6 +109,9 @@ setprotoent_r(int stay_open, PROTO_R_ENT_ARGS)
 setprotoent_r(int stay_open)
 #endif
 {
+#ifdef PROTO_R_ENT_UNUSED
+        PROTO_R_ENT_UNUSED;
+#endif
 	setprotoent(stay_open);
 #ifdef PROTO_R_SET_RESULT
 	return (PROTO_R_SET_RESULT);
@@ -122,6 +125,9 @@ endprotoent_r(PROTO_R_ENT_ARGS)
 endprotoent_r()
 #endif
 {
+#ifdef PROTO_R_ENT_UNUSED
+        PROTO_R_ENT_UNUSED;
+#endif
 	endprotoent();
 	PROTO_R_END_RESULT(PROTO_R_OK);
 }
diff --git a/contrib/bind-9.3/lib/bind/irs/getservent_r.c b/contrib/bind-9.3/lib/bind/irs/getservent_r.c
index b24f468ab4..6dd7034480 100644
--- a/contrib/bind-9.3/lib/bind/irs/getservent_r.c
+++ b/contrib/bind-9.3/lib/bind/irs/getservent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.2 2006/08/01 01:19:28 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -112,7 +112,9 @@ setservent_r(int stay_open, SERV_R_ENT_ARGS)
 setservent_r(int stay_open)
 #endif
 {
-
+#ifdef SERV_R_ENT_UNUSED
+	SERV_R_ENT_UNUSED;
+#endif
 	setservent(stay_open);
 #ifdef SERV_R_SET_RESULT
 	return (SERV_R_SET_RESULT);
@@ -126,7 +128,9 @@ endservent_r(SERV_R_ENT_ARGS)
 endservent_r()
 #endif
 {
-
+#ifdef SERV_R_ENT_UNUSED
+	SERV_R_ENT_UNUSED;
+#endif
 	endservent();
 	SERV_R_END_RESULT(SERV_R_OK);
 }
@@ -194,8 +198,8 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 	sptr->s_port = se->s_port;
 
 	/* copy official name */
-	cp = ndptr->line;
-	eob = ndptr->line + sizeof(ndptr->line);
+	cp = sdptr->line;
+	eob = sdptr->line + sizeof(sdptr->line);
 	if ((n = strlen(se->s_name) + 1) < (eob - cp)) {
 		strcpy(cp, se->s_name);
 		sptr->s_name = cp;
@@ -206,7 +210,7 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 
 	/* copy aliases */
 	i = 0;
-	sptr->s_aliases = ndptr->serv_aliases;
+	sptr->s_aliases = sdptr->serv_aliases;
 	while (se->s_aliases[i] && i < (_MAXALIASES-1)) {
 		if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) {
 			strcpy(cp, se->s_aliases[i]);
diff --git a/contrib/bind-9.3/lib/bind/irs/irp.c b/contrib/bind-9.3/lib/bind/irs/irp.c
index e5620db3e2..649079c31f 100644
--- a/contrib/bind-9.3/lib/bind/irs/irp.c
+++ b/contrib/bind-9.3/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.2 2004/03/17 01:49:41 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.4 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /* Imports */
@@ -425,6 +425,9 @@ irs_irp_read_body(struct irp_p *pvt, size_t *size) {
 	char *buffer = memget(len);
 	int idx = 0;
 
+	if (buffer == NULL)
+		return (NULL);
+
 	for (;;) {
 		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
 		    strchr(line, '\n') == NULL)
@@ -517,7 +520,7 @@ irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
  * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
  *
  *	Sends command to remote connected via the PVT
- *	struture. FMT and args after it are fprintf-like
+ *	structure. FMT and args after it are fprintf-like
  *	arguments for formatting.
  *
  * Returns:
diff --git a/contrib/bind-9.3/lib/bind/irs/irp_nw.c b/contrib/bind-9.3/lib/bind/irs/irp_nw.c
index 346e5a4d80..ea68612419 100644
--- a/contrib/bind-9.3/lib/bind/irs/irp_nw.c
+++ b/contrib/bind-9.3/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -319,6 +319,8 @@ nw_next(struct irs_nw *this) {
 		nw = NULL;
 	}
 
+	if (body != NULL)
+		memput(body, bodylen);
 	return (nw);
 }
 
diff --git a/contrib/bind-9.3/lib/bind/irs/irpmarshall.c b/contrib/bind-9.3/lib/bind/irs/irpmarshall.c
index 6d2ebd4843..198e349d53 100644
--- a/contrib/bind-9.3/lib/bind/irs/irpmarshall.c
+++ b/contrib/bind-9.3/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.3 2004/03/17 01:13:34 marka Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.4 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -1020,7 +1020,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	int hoaddrtype;
 	int holength;
 	long t;
-	char *name = NULL;
+	char *name;
 	char **aliases = NULL;
 	char **hohaddrlist = NULL;
 	size_t hoaddrsize;
@@ -1143,6 +1143,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	errno = myerrno;
 
 	if (name != NULL) free(name);
+	free_array(hohaddrlist, 0);
 	free_array(aliases, 0);
 
 	return (-1);
@@ -1313,7 +1314,6 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 	if (host != NULL) free(host);
 	if (user != NULL) free(user);
-	if (domain != NULL) free(domain);
 
 	return (-1);
 }
diff --git a/contrib/bind-9.3/lib/bind/irs/irs_data.c b/contrib/bind-9.3/lib/bind/irs/irs_data.c
index f8e65adfe6..7904286db8 100644
--- a/contrib/bind-9.3/lib/bind/irs/irs_data.c
+++ b/contrib/bind-9.3/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.3 2004/11/30 01:15:43 marka Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.4 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -128,10 +128,15 @@ net_data_init(const char *conf_file) {
 	struct net_data *net_data;
 
 	if (!once) {
-		pthread_mutex_lock(&keylock);
-		if (!once++)
-			pthread_key_create(&key, net_data_destroy);
-		pthread_mutex_unlock(&keylock);
+		if (pthread_mutex_lock(&keylock) != 0)
+			return (NULL);
+		if (!once) {
+			if (pthread_key_create(&key, net_data_destroy) != 0)
+				return (NULL);
+			once = 1;
+		}
+		if (pthread_mutex_unlock(&keylock) != 0)
+			return (NULL);
 	}
 	net_data = pthread_getspecific(key);
 #endif
@@ -141,7 +146,10 @@ net_data_init(const char *conf_file) {
 		if (net_data == NULL)
 			return (NULL);
 #ifdef	DO_PTHREADS
-		pthread_setspecific(key, net_data);
+		if (pthread_setspecific(key, net_data) != 0) {
+			net_data_destroy(net_data);
+			return (NULL);
+		}
 #endif
 	}
 
diff --git a/contrib/bind-9.3/lib/bind/irs/lcl_ho.c b/contrib/bind-9.3/lib/bind/irs/lcl_ho.c
index 45d2677820..b59a10468f 100644
--- a/contrib/bind-9.3/lib/bind/irs/lcl_ho.c
+++ b/contrib/bind-9.3/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -541,7 +541,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		ai = hostent2addrinfo(hp, pai);
 		if (ai) {
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
 		}
 	}
diff --git a/contrib/bind-9.3/lib/bind/irs/lcl_pr.c b/contrib/bind-9.3/lib/bind/irs/lcl_pr.c
index d8f909e89f..ddc92c89bd 100644
--- a/contrib/bind-9.3/lib/bind/irs/lcl_pr.c
+++ b/contrib/bind-9.3/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -85,6 +85,7 @@ static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.1 2004/03/09 08:33:38 marka
 struct pvt {
 	FILE *		fp;
 	char		line[BUFSIZ+1];
+	char *		dbuf;
 	struct protoent	proto;
 	char *		proto_aliases[MAXALIASES];
 };
@@ -141,6 +142,8 @@ pr_close(struct irs_pr *this) {
 
 	if (pvt->fp)
 		(void) fclose(pvt->fp);
+	if (pvt->dbuf)
+		free(pvt->dbuf);
 	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
@@ -202,6 +205,10 @@ pr_next(struct irs_pr *this) {
 		pr_rewind(this);
 	if (!pvt->fp)
 		return (NULL);
+	if (pvt->dbuf) {
+		free(pvt->dbuf);
+		pvt->dbuf = NULL;
+	}
 	bufp = pvt->line;
 	bufsiz = BUFSIZ;
 	offset = 0;
@@ -270,6 +277,7 @@ pr_next(struct irs_pr *this) {
 		}
 	}
 	*q = NULL;
+	pvt->dbuf = dbuf;
 	return (&pvt->proto);
 }
 
diff --git a/contrib/bind-9.3/lib/bind/isc/ev_connects.c b/contrib/bind-9.3/lib/bind/isc/ev_connects.c
index 4b0dd2222a..b3873b72e8 100644
--- a/contrib/bind-9.3/lib/bind/isc/ev_connects.c
+++ b/contrib/bind-9.3/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.2 2005/07/08 04:52:54 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.3 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /* Import. */
@@ -69,7 +69,7 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 
 	OKNEW(new);
 	new->flags = EV_CONN_LISTEN;
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
+	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/* side effect: validate fd. */
 	/*
 	 * Remember the nonblocking status.  We assume that either evSelectFD
 	 * has not been done to this fd, or that if it has then the caller
@@ -80,13 +80,13 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 	if ((mode & PORT_NONBLOCK) == 0) {
 #ifdef USE_FIONBIO_IOCTL
 		int on = 1;
-		OK(ioctl(fd, FIONBIO, (char *)&on));
+		OKFREE(ioctl(fd, FIONBIO, (char *)&on), new);
 #else
-		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
+		OKFREE(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK), new);
 #endif
 		new->flags |= EV_CONN_BLOCK;
 	}
-	OK(listen(fd, maxconn));
+	OKFREE(listen(fd, maxconn), new);
 	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
 		int save = errno;
 
diff --git a/contrib/bind-9.3/lib/bind/isc/eventlib.c b/contrib/bind-9.3/lib/bind/isc/eventlib.c
index 77b14144b9..11120ecadd 100644
--- a/contrib/bind-9.3/lib/bind/isc/eventlib.c
+++ b/contrib/bind-9.3/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.5 2005/07/28 07:43:20 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.6 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -784,13 +784,10 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 		pnfds = 0;
 	}
 	n = poll(fds, pnfds, polltimeout);
-	/*
-	 * pselect() should return the total number of events on the file
-	 * desriptors, not just the count of fd:s with activity. Hence,
-	 * traverse the pollfds array and count the events.
-	 */
 	if (n > 0) {
 		int     i, e;
+
+		INSIST(ctx != NULL);
 		for (e = 0, i = ctx->firstfd; i <= ctx->fdMax; i++) {
 			if (ctx->pollfds[i].fd < 0)
 				continue;
diff --git a/contrib/bind-9.3/lib/bind/isc/eventlib_p.h b/contrib/bind-9.3/lib/bind/isc/eventlib_p.h
index b95741d7af..5c45ab83f6 100644
--- a/contrib/bind-9.3/lib/bind/isc/eventlib_p.h
+++ b/contrib/bind-9.3/lib/bind/isc/eventlib_p.h
@@ -18,7 +18,7 @@
 /* eventlib_p.h - private interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.3.2.1.4.3 2005/07/28 07:43:20 marka Exp $
+ * $Id: eventlib_p.h,v 1.3.2.1.4.4 2006/03/10 00:17:21 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
@@ -45,6 +45,8 @@
 #define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
 #define EV_ERR(e)		return (errno = (e), -1)
 #define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
+#define OKFREE(x, y)	if ((x) < 0) { FREE((y)); EV_ERR(errno); } \
+			else (void)NULL
 
 #define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
 				FILL(p); \
diff --git a/contrib/bind-9.3/lib/bind/isc/heap.c b/contrib/bind-9.3/lib/bind/isc/heap.c
index f63619f568..2faf6f5767 100644
--- a/contrib/bind-9.3/lib/bind/isc/heap.c
+++ b/contrib/bind-9.3/lib/bind/isc/heap.c
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.1.206.1 2004/03/09 08:33:43 marka Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -54,9 +54,13 @@ heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
 	 int array_size_increment) {
 	heap_context ctx;
 
+	if (higher_priority == NULL)
+		return (NULL);
+
 	ctx = (heap_context)malloc(sizeof (struct heap_context));
-	if (ctx == NULL || higher_priority == NULL)
+	if (ctx == NULL)
 		return (NULL);
+
 	ctx->array_size = 0;
 	if (array_size_increment == 0)
 		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
diff --git a/contrib/bind-9.3/lib/bind/isc/hex.c b/contrib/bind-9.3/lib/bind/isc/hex.c
index c177ca0fa3..70312597c9 100644
--- a/contrib/bind-9.3/lib/bind/isc/hex.c
+++ b/contrib/bind-9.3/lib/bind/isc/hex.c
@@ -45,8 +45,9 @@ isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
 			goto formerr;
 		/* comment */
 		if (c == ';') {
-			while ((c = fgetc(fp)) != EOF && c != '\n')
-				/* empty */
+			do {
+				c = fgetc(fp);
+			} while (c != EOF && c != '\n');
 			if (c == '\n' && *multiline)
 				continue;
 			goto formerr;
diff --git a/contrib/bind-9.3/lib/bind/isc/memcluster.c b/contrib/bind-9.3/lib/bind/isc/memcluster.c
index c5b7202817..886f51601e 100644
--- a/contrib/bind-9.3/lib/bind/isc/memcluster.c
+++ b/contrib/bind-9.3/lib/bind/isc/memcluster.c
@@ -24,7 +24,7 @@
 
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.7 2005/10/11 00:48:15 marka Exp $";
+static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.8 2006/08/30 23:35:06 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -399,7 +399,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 	p = (char *)e + sizeof *e + size;
 	memcpy(&fp, p, sizeof fp);
 	INSIST(fp == BACK_FENCEPOST);
-	INSIST(((int)mem % 4) == 0);
+	INSIST(((u_long)mem % 4) == 0);
 #ifdef MEMCLUSTER_RECORD
 	prev = NULL;
 	if (size == max_size || new_size >= max_size)
@@ -523,10 +523,11 @@ memstats(FILE *out) {
 	for (i = 1; i <= max_size; i++) {
 		if ((e = activelists[i]) != NULL)
 			while (e != NULL) {
-				fprintf(out, "%s:%d %p:%d\n",
+				fprintf(out, "%s:%d %p:%lu\n",
 				        e->file != NULL ? e->file :
 						"<UNKNOWN>", e->line,
-					(char *)e + sizeof *e, e->size);
+					(char *)e + sizeof *e,
+					(u_long)e->size);
 				e = e->next;
 			}
 	}
diff --git a/contrib/bind-9.3/lib/bind/nameser/ns_sign.c b/contrib/bind-9.3/lib/bind/nameser/ns_sign.c
index 56248a59a8..7b742f1f5f 100644
--- a/contrib/bind-9.3/lib/bind/nameser/ns_sign.c
+++ b/contrib/bind-9.3/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.1 2004/03/09 08:33:45 marka Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.2 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /* Import. */
@@ -89,7 +89,7 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 {
 	HEADER *hp = (HEADER *)msg;
 	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp = msg + *msglen, *eob = msg + msgsize;
+	u_char *cp, *eob;
 	u_char *lenp;
 	u_char *alg;
 	int n;
@@ -100,6 +100,9 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
 		return (-1);
 
+	cp = msg + *msglen;
+	eob = msg + msgsize;
+
 	/* Name. */
 	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
 		n = ns_name_pton(key->dk_key_name, name, sizeof name);
diff --git a/contrib/bind-9.3/lib/bind/nameser/ns_verify.c b/contrib/bind-9.3/lib/bind/nameser/ns_verify.c
index adda249bb4..c74a0a38b2 100644
--- a/contrib/bind-9.3/lib/bind/nameser/ns_verify.c
+++ b/contrib/bind-9.3/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.2 2005/10/11 00:48:16 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
 #endif
 
 /* Import. */
@@ -343,7 +343,7 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	HEADER *hp = (HEADER *)msg;
 	u_char *recstart, *sigstart;
 	unsigned int sigfieldlen, otherfieldlen;
-	u_char *cp, *eom = msg + *msglen, *cp2;
+	u_char *cp, *eom, *cp2;
 	char name[MAXDNAME], alg[MAXDNAME];
 	u_char buf[MAXDNAME];
 	int n, type, length, fudge, error;
@@ -352,6 +352,8 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	if (msg == NULL || msglen == NULL || state == NULL)
 		return (-1);
 
+	eom = msg + *msglen;
+
 	state->counter++;
 	if (state->counter == 0)
 		return (ns_verify(msg, msglen, state->key,
diff --git a/contrib/bind-9.3/lib/bind/port_after.h.in b/contrib/bind-9.3/lib/bind/port_after.h.in
index 0c956b71ed..f248d23f56 100644
--- a/contrib/bind-9.3/lib/bind/port_after.h.in
+++ b/contrib/bind-9.3/lib/bind/port_after.h.in
@@ -5,12 +5,16 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/param.h>
+#include <sys/time.h>
 #if (!defined(BSD)) || (BSD < 199306)
 #include <sys/bitypes.h>
 #endif
 #ifdef HAVE_INTTYPES_H
 #include <inttypes.h>
 #endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif /* HAVE_SYS_SELECT_H */
 
 @NEED_PSELECT@
 @HAVE_SA_LEN@
diff --git a/contrib/bind-9.3/lib/bind/port_before.h.in b/contrib/bind-9.3/lib/bind/port_before.h.in
index c754efd2b0..320fff1905 100644
--- a/contrib/bind-9.3/lib/bind/port_before.h.in
+++ b/contrib/bind-9.3/lib/bind/port_before.h.in
@@ -87,11 +87,13 @@ struct timezone;        /* silence warning */
 @PROTO_R_END_RESULT@
 @PROTO_R_END_RETURN@
 @PROTO_R_ENT_ARGS@
+@PROTO_R_ENT_UNUSED@
 @PROTO_R_OK@
 @PROTO_R_SETANSWER@
 @PROTO_R_RETURN@
 @PROTO_R_SET_RESULT@
 @PROTO_R_SET_RETURN@
+@PROTOENT_DATA@
 
 @PASS_R_ARGS@
 @PASS_R_BAD@
@@ -112,11 +114,13 @@ struct timezone;        /* silence warning */
 @SERV_R_END_RESULT@
 @SERV_R_END_RETURN@
 @SERV_R_ENT_ARGS@
+@SERV_R_ENT_UNUSED@
 @SERV_R_OK@
 @SERV_R_SETANSWER@
 @SERV_R_RETURN@
 @SERV_R_SET_RESULT@
 @SERV_R_SET_RETURN@
+@SERVENT_DATA@
 
 
 #define DE_CONST(konst, var) \
diff --git a/contrib/bind-9.3/lib/bind/resolv/mtctxres.c b/contrib/bind-9.3/lib/bind/resolv/mtctxres.c
index f33cf11e3f..635bbd4400 100644
--- a/contrib/bind-9.3/lib/bind/resolv/mtctxres.c
+++ b/contrib/bind-9.3/lib/bind/resolv/mtctxres.c
@@ -106,9 +106,10 @@ ___mtctxres(void) {
 	 */
 	if (!mt_key_initialized) {
 		static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
-                pthread_mutex_lock(&keylock);
-		_mtctxres_init();
-                pthread_mutex_unlock(&keylock);
+                if (pthread_mutex_lock(&keylock) == 0) {
+			_mtctxres_init();
+			(void) pthread_mutex_unlock(&keylock);
+		}
 	}
 
 	/*
diff --git a/contrib/bind-9.3/lib/bind/resolv/res_init.c b/contrib/bind-9.3/lib/bind/resolv/res_init.c
index 28a3ebd088..fd82e87203 100644
--- a/contrib/bind-9.3/lib/bind/resolv/res_init.c
+++ b/contrib/bind-9.3/lib/bind/resolv/res_init.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
-static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.5 2005/11/03 00:00:52 marka Exp $";
+static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.6 2006/08/30 23:23:01 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -237,17 +237,10 @@ __res_vinit(res_state statp, int preinit) {
 			if (buf[0] == '+')
 				buf[0] = '.';
 			cp = strchr(buf, '.');
-			if (cp == NULL) {
-				if (strlcpy(statp->defdname, buf,
-					sizeof(statp->defdname))
-					>= sizeof(statp->defdname))
-					goto freedata;
-			} else {
-				if (strlcpy(statp->defdname, cp+1,
-					sizeof(statp->defdname))
-					 >= sizeof(statp->defdname))
-					goto freedata;
-			}
+			cp = (cp == NULL) ? buf : (cp + 1);
+			if (strlen(cp) >= sizeof(statp->defdname))
+				goto freedata; 
+			strcpy(statp->defdname, cp);
 		}
 	}
 #endif	/* SOLARIS2 */
diff --git a/contrib/bind-9.3/lib/bind/resolv/res_send.c b/contrib/bind-9.3/lib/bind/resolv/res_send.c
index 5be2489325..c47dd49bc6 100644
--- a/contrib/bind-9.3/lib/bind/resolv/res_send.c
+++ b/contrib/bind-9.3/lib/bind/resolv/res_send.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.7 2005/08/15 02:04:41 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.9 2006/10/16 23:00:50 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -130,7 +130,7 @@ static struct sockaddr * get_nsaddr __P((res_state, size_t));
 static int		send_vc(res_state, const u_char *, int,
 				u_char *, int, int *, int);
 static int		send_dg(res_state, const u_char *, int,
-				u_char *, int, int *, int,
+				u_char *, int, int *, int, int,
 				int *, int *);
 static void		Aerror(const res_state, FILE *, const char *, int,
 			       const struct sockaddr *, int);
@@ -295,7 +295,8 @@ res_nsend(res_state statp,
 	highestFD = sysconf(_SC_OPEN_MAX) - 1;
 #endif
 
-	if (statp->nscount == 0) {
+	/* No name servers or res_init() failure */
+	if (statp->nscount == 0 || EXT(statp).ext == NULL) {
 		errno = ESRCH;
 		return (-1);
 	}
@@ -458,7 +459,7 @@ res_nsend(res_state statp,
 		} else {
 			/* Use datagrams. */
 			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns, &v_circuit, &gotsomewhere);
+				    ns, try, &v_circuit, &gotsomewhere);
 			if (n < 0)
 				goto fail;
 			if (n == 0)
@@ -766,9 +767,9 @@ send_vc(res_state statp,
 }
 
 static int
-send_dg(res_state statp,
-	const u_char *buf, int buflen, u_char *ans, int anssiz,
-	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
+send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
+	int anssiz, int *terrno, int ns, int try, int *v_circuit,
+	int *gotsomewhere)
 {
 	const HEADER *hp = (const HEADER *) buf;
 	HEADER *anhp = (HEADER *) ans;
@@ -849,7 +850,7 @@ send_dg(res_state statp,
 	/*
 	 * Wait for reply.
 	 */
-	seconds = (statp->retrans << ns);
+	seconds = (statp->retrans << try);
 	if (ns > 0)
 		seconds /= statp->nscount;
 	if (seconds <= 0)
diff --git a/contrib/bind-9.3/lib/bind/resolv/res_sendsigned.c b/contrib/bind-9.3/lib/bind/resolv/res_sendsigned.c
index d1d2274575..93ad5c9795 100644
--- a/contrib/bind-9.3/lib/bind/resolv/res_sendsigned.c
+++ b/contrib/bind-9.3/lib/bind/resolv/res_sendsigned.c
@@ -52,6 +52,7 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 	bufsize = msglen + 1024;
 	newmsg = (u_char *) malloc(bufsize);
 	if (newmsg == NULL) {
+		free(nstatp);
 		errno = ENOMEM;
 		return (-1);
 	}
@@ -102,11 +103,11 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 retry:
 
 	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
-	if (ret < 0) {
+	if (len < 0) {
 		free (nstatp);
 		free (newmsg);
 		dst_free_key(dstkey);
-		return (ret);
+		return (len);
 	}
 
 	ret = ns_verify(answer, &len, dstkey, sig, siglen,
diff --git a/contrib/bind-9.3/lib/bind9/api b/contrib/bind-9.3/lib/bind9/api
index 0a12b5e852..be7faa6948 100644
--- a/contrib/bind-9.3/lib/bind9/api
+++ b/contrib/bind-9.3/lib/bind9/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 0
-LIBREVISION = 7
+LIBREVISION = 8
 LIBAGE = 0
diff --git a/contrib/bind-9.3/lib/bind9/check.c b/contrib/bind-9.3/lib/bind9/check.c
index e6e86fd14d..2079a8477a 100644
--- a/contrib/bind-9.3/lib/bind9/check.c
+++ b/contrib/bind-9.3/lib/bind9/check.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.37.6.32 2005/11/03 23:08:41 marka Exp $ */
+/* $Id: check.c,v 1.37.6.34 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -50,12 +50,12 @@ freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
 }
 
 static isc_result_t
-check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
+check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_textregion_t r;
 	dns_fixedname_t fixed;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t rdtype;
 	isc_buffer_t b;
@@ -132,11 +132,11 @@ check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_order(cfg_obj_t *options, isc_log_t *logctx) {
+check_order(const cfg_obj_t *options, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
-	cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
 
 	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
 		return (result);
@@ -153,12 +153,12 @@ check_order(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *alternates = NULL;
-	cfg_obj_t *value;
-	cfg_obj_t *obj;
-	char *str;
+check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *alternates = NULL;
+	const cfg_obj_t *value;
+	const cfg_obj_t *obj;
+	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
 	isc_buffer_t buffer;
@@ -213,9 +213,9 @@ check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_forward(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_obj_t *forward = NULL;
-	cfg_obj_t *forwarders = NULL;
+check_forward(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_obj_t *forward = NULL;
+	const cfg_obj_t *forwarders = NULL;
 
 	(void)cfg_map_get(options, "forward", &forward);
 	(void)cfg_map_get(options, "forwarders", &forwarders);
@@ -229,15 +229,15 @@ check_forward(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
+disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	const char *str;
 	isc_buffer_t b;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
@@ -262,7 +262,7 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
 		dns_secalg_t alg;
 		isc_result_t tresult;
 
-		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
 		r.length = strlen(r.base);
 
 		tresult = dns_secalg_fromtext(&alg, &r);
@@ -280,8 +280,9 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
 }
 
 static isc_result_t
-nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
-	  const char *fmt, isc_log_t *logctx, isc_mem_t *mctx)
+nameexist(const cfg_obj_t *obj, const char *name, int value,
+	  isc_symtab_t *symtab, const char *fmt, isc_log_t *logctx,
+	  isc_mem_t *mctx)
 {
 	char *key;
 	const char *file;
@@ -292,14 +293,14 @@ nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
 	key = isc_mem_strdup(mctx, name);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
-	symvalue.as_pointer = obj;
+	symvalue.as_cpointer = obj;
 	result = isc_symtab_define(symtab, key, value, symvalue,
 				   isc_symexists_reject);
 	if (result == ISC_R_EXISTS) {
 		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
 						&symvalue) == ISC_R_SUCCESS);
-		file = cfg_obj_file(symvalue.as_pointer);
-		line = cfg_obj_line(symvalue.as_pointer);
+		file = cfg_obj_file(symvalue.as_cpointer);
+		line = cfg_obj_line(symvalue.as_cpointer);
 
 		if (file == NULL)
 			file = "<unknown file>";
@@ -313,10 +314,10 @@ nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
 }
 
 static isc_result_t
-mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
+mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 	     isc_mem_t *mctx)
 {
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	const char *str;
 	dns_fixedname_t fixed;
@@ -351,12 +352,12 @@ typedef struct {
 } intervaltable;
 
 static isc_result_t
-check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
-	cfg_obj_t *obj = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 
 	static intervaltable intervals[] = {
@@ -411,9 +412,9 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	(void)cfg_map_get(options, "root-delegation-only", &obj);
 	if (obj != NULL) {
 		if (!cfg_obj_isvoid(obj)) {
-			cfg_listelt_t *element;
-			cfg_obj_t *exclude;
-			char *str;
+			const cfg_listelt_t *element;
+			const cfg_obj_t *exclude;
+			const char *str;
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			isc_buffer_t b;
@@ -557,10 +558,10 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 }
 
 static isc_result_t
-get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+get_masters_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
 
 	result = cfg_map_get(cctx, "masters", &masters);
 	if (result != ISC_R_SUCCESS)
@@ -568,7 +569,7 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(masters);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
+		const cfg_obj_t *list;
 		const char *listname;
 
 		list = cfg_listelt_value(elt);
@@ -583,18 +584,18 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 }
 
 static isc_result_t
-validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
-		 isc_log_t *logctx, isc_mem_t *mctx)
+validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
+	         isc_uint32_t *countp, isc_log_t *logctx, isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_uint32_t count = 0;
 	isc_symtab_t *symtab = NULL;
 	isc_symvalue_t symvalue;
-	cfg_listelt_t *element;
-	cfg_listelt_t **stack = NULL;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t **stack = NULL;
 	isc_uint32_t stackcount = 0, pushed = 0;
-	cfg_obj_t *list;
+	const cfg_obj_t *list;
 
 	REQUIRE(countp != NULL);
 	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
@@ -611,9 +612,9 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		char *listname;
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
+		const char *listname;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
 				     "masterselement");
@@ -631,7 +632,7 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
 				result = ISC_R_FAILURE;
 		}
 		listname = cfg_obj_asstring(addr);
-		symvalue.as_pointer = addr;
+		symvalue.as_cpointer = addr;
 		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
 					    isc_symexists_reject);
 		if (tresult == ISC_R_EXISTS)
@@ -691,14 +692,15 @@ typedef struct {
 } optionstable;
 
 static isc_result_t
-check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
-	       dns_rdataclass_t defclass, isc_log_t *logctx, isc_mem_t *mctx)
+check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
+	       isc_symtab_t *symtab, dns_rdataclass_t defclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const char *zname;
 	const char *typestr;
 	unsigned int ztype;
-	cfg_obj_t *zoptions;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *zoptions;
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
@@ -902,10 +904,10 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
 	 * Check the excessively complicated "dialup" option.
 	 */
 	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		cfg_obj_t *dialup = NULL;
+		const cfg_obj_t *dialup = NULL;
 		(void)cfg_map_get(zoptions, "dialup", &dialup);
 		if (dialup != NULL && cfg_obj_isstring(dialup)) {
-			char *str = cfg_obj_asstring(dialup);
+			const char *str = cfg_obj_asstring(dialup);
 			for (i = 0;
 			     i < sizeof(dialups) / sizeof(dialups[0]);
 			     i++)
@@ -970,9 +972,9 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
 }
 
 isc_result_t
-bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
+bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
 	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 	
 	(void)cfg_map_get(key, "algorithm", &algobj);
@@ -988,20 +990,20 @@ bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *key = cfg_listelt_value(element);
+		const cfg_obj_t *key = cfg_listelt_value(element);
 		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 		isc_symvalue_t symvalue;
 
-		symvalue.as_pointer = key;
+		symvalue.as_cpointer = key;
 		tresult = isc_symtab_define(symtab, keyname, 1,
 					    symvalue, isc_symexists_reject);
 		if (tresult == ISC_R_EXISTS) {
@@ -1010,8 +1012,8 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 
 			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
 					    1, &symvalue) == ISC_R_SUCCESS);
-			file = cfg_obj_file(symvalue.as_pointer);
-			line = cfg_obj_line(symvalue.as_pointer);
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
 
 			if (file == NULL)
 				file = "<unknown file>";
@@ -1031,13 +1033,16 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
+check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
-	cfg_listelt_t *e1, *e2;
-	cfg_obj_t *v1, *v2;
-	isc_sockaddr_t *s1, *s2;
+	const cfg_listelt_t *e1;
+	const cfg_listelt_t *e2;
+	const cfg_obj_t *v1;
+	const cfg_obj_t *v2;
+	const isc_sockaddr_t *s1;
+	const isc_sockaddr_t *s2;
 	isc_netaddr_t na;
-	cfg_obj_t *ts;
+	const cfg_obj_t *ts;
 	char buf[128];
 	const char *xfr;
 	isc_buffer_t target;
@@ -1090,13 +1095,13 @@ check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
 }
 		
 static isc_result_t
-check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
-	       isc_log_t *logctx, isc_mem_t *mctx)
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
 {
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *zones = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *zones = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
@@ -1120,7 +1125,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
 	     element = cfg_list_next(element))
 	{
 		isc_result_t tresult;
-		cfg_obj_t *zone = cfg_listelt_value(element);
+		const cfg_obj_t *zone = cfg_listelt_value(element);
 
 		tresult = check_zoneconf(zone, config, symtab, vclass,
 					 logctx, mctx);
@@ -1165,7 +1170,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
 	 * Check that forwarding is reasonable.
 	 */
 	if (vconfig == NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_forward(options, logctx) != ISC_R_SUCCESS)
@@ -1178,7 +1183,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
 	 * Check that dual-stack-servers is reasonable.
 	 */
 	if (vconfig == NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
@@ -1215,14 +1220,16 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
 
 
 isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *views = NULL;
-	cfg_obj_t *acls = NULL;
-	cfg_obj_t *kals = NULL;
-	cfg_obj_t *obj;
-	cfg_listelt_t *velement;
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx)
+{
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *views = NULL;
+	const cfg_obj_t *acls = NULL;
+	const cfg_obj_t *kals = NULL;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *velement;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_symtab_t *symtab = NULL;
@@ -1256,7 +1263,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 				   logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
-		cfg_obj_t *zones = NULL;
+		const cfg_obj_t *zones = NULL;
 
 		(void)cfg_map_get(config, "zone", &zones);
 		if (zones != NULL) {
@@ -1274,10 +1281,10 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 	     velement != NULL;
 	     velement = cfg_list_next(velement))
 	{
-		cfg_obj_t *view = cfg_listelt_value(velement);
-		cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		const cfg_obj_t *view = cfg_listelt_value(velement);
+		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
 		dns_rdataclass_t vclass = dns_rdataclass_in;
 		isc_result_t tresult = ISC_R_SUCCESS;
 		const char *key = cfg_obj_asstring(vname);
@@ -1295,7 +1302,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 					    cfg_obj_asstring(vname), r.base);
 		}
 		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_pointer = view;
+			symvalue.as_cpointer = view;
 			tresult = isc_symtab_define(symtab, key, vclass,
 						    symvalue,
 						    isc_symexists_reject);
@@ -1304,8 +1311,8 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 				unsigned int line;
 				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
 				           vclass, &symvalue) == ISC_R_SUCCESS);
-				file = cfg_obj_file(symvalue.as_pointer);
-				line = cfg_obj_line(symvalue.as_pointer);
+				file = cfg_obj_file(symvalue.as_cpointer);
+				line = cfg_obj_line(symvalue.as_cpointer);
 				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
 					    "view '%s': already exists "
 					    "previous definition: %s:%u",
@@ -1345,14 +1352,14 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 
         tresult = cfg_map_get(config, "acl", &acls);
         if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
 		const char *aclname;
 
 		for (elt = cfg_list_first(acls);
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
 			unsigned int i;
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
@@ -1371,7 +1378,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 			for (elt2 = cfg_list_next(elt);
 			     elt2 != NULL;
 			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
 				const char *name;
 				name = cfg_obj_asstring(cfg_tuple_get(acl2,
 								      "name"));
@@ -1395,21 +1402,21 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 
         tresult = cfg_map_get(config, "kal", &kals);
         if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
 		const char *aclname;
 
 		for (elt = cfg_list_first(kals);
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 
 			for (elt2 = cfg_list_next(elt);
 			     elt2 != NULL;
 			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
 				const char *name;
 				name = cfg_obj_asstring(cfg_tuple_get(acl2,
 								      "name"));
diff --git a/contrib/bind-9.3/lib/bind9/include/bind9/check.h b/contrib/bind-9.3/lib/bind9/include/bind9/check.h
index dcda517bb4..09e8b2e1be 100644
--- a/contrib/bind-9.3/lib/bind9/include/bind9/check.h
+++ b/contrib/bind-9.3/lib/bind9/include/bind9/check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.1.200.4 2004/03/08 09:04:28 marka Exp $ */
+/* $Id: check.h,v 1.1.200.6 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
@@ -28,7 +28,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx);
 /*
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
@@ -44,7 +45,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
  */
 
 isc_result_t
-bind9_check_key(cfg_obj_t *config, isc_log_t *logctx);
+bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
 /*
  * As above, but for a single 'key' statement.
  */
diff --git a/contrib/bind-9.3/lib/dns/acl.c b/contrib/bind-9.3/lib/dns/acl.c
index d2814405a7..e81d5ef338 100644
--- a/contrib/bind-9.3/lib/dns/acl.c
+++ b/contrib/bind-9.3/lib/dns/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.23.52.4 2004/03/09 05:21:08 marka Exp $ */
+/* $Id: acl.c,v 1.23.52.6 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -68,7 +68,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
 	if (acl->length + 1 > acl->alloc) {
 		/*
 		 * Resize the ACL.
@@ -123,12 +123,12 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt)
+	      dns_aclelement_t const**matchelt)
 {
 	unsigned int i;
 
@@ -150,9 +150,9 @@ dns_acl_match(isc_netaddr_t *reqaddr,
 }
 
 isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt)
+dns_acl_elementmatch(const dns_acl_t *acl,
+		     const dns_aclelement_t *elt,
+		     const dns_aclelement_t **matchelt)
 {
 	unsigned int i;
 
@@ -173,14 +173,14 @@ dns_acl_elementmatch(dns_acl_t *acl,
 }
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,
-		     dns_aclelement_t **matchelt)
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
-	isc_netaddr_t *addr;
+	const isc_netaddr_t *addr;
 	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;
@@ -312,7 +312,7 @@ dns_acl_detach(dns_acl_t **aclp) {
 }
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
 	if (ea->type != eb->type)
 		return (ISC_FALSE);
 	switch (ea->type) {
@@ -338,7 +338,7 @@ dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
 }
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
 	unsigned int i;
 	if (a == b)
 		return (ISC_TRUE);
@@ -353,7 +353,7 @@ dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 }
 
 static isc_boolean_t
-is_loopback(dns_aclipprefix_t *p) {
+is_loopback(const dns_aclipprefix_t *p) {
 	switch (p->address.family) {
 	case AF_INET:
 		if (p->prefixlen == 32 &&
@@ -372,7 +372,7 @@ is_loopback(dns_aclipprefix_t *p) {
 }
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a) {
+dns_acl_isinsecure(const dns_acl_t *a) {
 	unsigned int i;
 	for (i = 0; i < a->length; i++) {
 		dns_aclelement_t *e = &a->elements[i];
diff --git a/contrib/bind-9.3/lib/dns/adb.c b/contrib/bind-9.3/lib/dns/adb.c
index c0b31db112..3fe436a2bb 100644
--- a/contrib/bind-9.3/lib/dns/adb.c
+++ b/contrib/bind-9.3/lib/dns/adb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.181.2.11.2.24 2005/10/14 05:19:00 marka Exp $ */
+/* $Id: adb.c,v 1.181.2.11.2.26 2006/01/04 23:50:20 marka Exp $ */
 
 /*
  * Implementation notes
@@ -2587,8 +2587,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		}
 	}
 
-	if (bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->namelocks[bucket]);
+	UNLOCK(&adb->namelocks[bucket]);
 
 	return (result);
 }
diff --git a/contrib/bind-9.3/lib/dns/api b/contrib/bind-9.3/lib/dns/api
index 7df81573fd..95b29be1b7 100644
--- a/contrib/bind-9.3/lib/dns/api
+++ b/contrib/bind-9.3/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 21
-LIBREVISION = 1
-LIBAGE = 0
+LIBINTERFACE = 23
+LIBREVISION = 0
+LIBAGE = 1
diff --git a/contrib/bind-9.3/lib/dns/cache.c b/contrib/bind-9.3/lib/dns/cache.c
index 0e17a957d1..f45af90d08 100644
--- a/contrib/bind-9.3/lib/dns/cache.c
+++ b/contrib/bind-9.3/lib/dns/cache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.45.2.4.8.9 2005/03/17 03:58:30 marka Exp $ */
+/* $Id: cache.c,v 1.45.2.4.8.15 2006/08/01 01:07:05 marka Exp $ */
 
 #include <config.h>
 
@@ -68,7 +68,6 @@ typedef enum {
  * Convenience macros for comprehensive assertion checking.
  */
 #define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
-			 (c)->iterator == NULL && \
 			 (c)->resched_event != NULL)
 #define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
 			 (c)->iterator != NULL && \
@@ -101,6 +100,7 @@ struct cache_cleaner {
 					   clean in one increment */
 	cleaner_state_t  state;		/* Idle/Busy. */
 	isc_boolean_t	 overmem;	/* The cache is in an overmem state. */
+	isc_boolean_t	 replaceiterator;
 };
 
 /*
@@ -387,7 +387,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
 }
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, char *filename) {
+dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
 	char *newname;
 
 	REQUIRE(VALID_CACHE(cache));
@@ -501,12 +501,18 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	cleaner->cache = cache;
 	cleaner->iterator = NULL;
 	cleaner->overmem = ISC_FALSE;
+	cleaner->replaceiterator = ISC_FALSE;
 
 	cleaner->task = NULL;
 	cleaner->cleaning_timer = NULL;
 	cleaner->resched_event = NULL;
 	cleaner->overmem_event = NULL;
 
+	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
+				       &cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
 	if (taskmgr != NULL && timermgr != NULL) {
 		result = isc_task_create(taskmgr, 1, &cleaner->task);
 		if (result != ISC_R_SUCCESS) {
@@ -575,6 +581,8 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 		isc_timer_detach(&cleaner->cleaning_timer);
 	if (cleaner->task != NULL)
 		isc_task_detach(&cleaner->task);
+	if (cleaner->iterator != NULL)
+		dns_dbiterator_destroy(&cleaner->iterator);
 	DESTROYLOCK(&cleaner->lock);
  fail:
 	return (result);
@@ -582,15 +590,17 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 
 static void
 begin_cleaning(cache_cleaner_t *cleaner) {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(CLEANER_IDLE(cleaner));
 
 	/*
-	 * Create an iterator and position it at the beginning of the cache.
+	 * Create an iterator, if it does not already exist, and
+         * position it at the beginning of the cache.
 	 */
-	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-				       &cleaner->iterator);
+	if (cleaner->iterator == NULL)
+		result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
+					       &cleaner->iterator);
 	if (result != ISC_R_SUCCESS)
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
@@ -600,20 +610,21 @@ begin_cleaning(cache_cleaner_t *cleaner) {
 		dns_dbiterator_setcleanmode(cleaner->iterator, ISC_TRUE);
 		result = dns_dbiterator_first(cleaner->iterator);
 	}
-
 	if (result != ISC_R_SUCCESS) {
 		/*
 		 * If the result is ISC_R_NOMORE, the database is empty,
 		 * so there is nothing to be cleaned.
 		 */
-		if (result != ISC_R_NOMORE)
+		if (result != ISC_R_NOMORE && cleaner->iterator != NULL) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "cache cleaner: "
 					 "dns_dbiterator_first() failed: %s",
 					 dns_result_totext(result));
-
-		if (cleaner->iterator != NULL)
 			dns_dbiterator_destroy(&cleaner->iterator);
+		} else if (cleaner->iterator != NULL) {
+			result = dns_dbiterator_pause(cleaner->iterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
 	} else {
 		/*
 		 * Pause the iterator to free its lock.
@@ -634,10 +645,14 @@ begin_cleaning(cache_cleaner_t *cleaner) {
 
 static void
 end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
+	isc_result_t result;
+
 	REQUIRE(CLEANER_BUSY(cleaner));
 	REQUIRE(event != NULL);
 
-	dns_dbiterator_destroy(&cleaner->iterator);
+	result = dns_dbiterator_pause(cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		dns_dbiterator_destroy(&cleaner->iterator);
 
 	dns_cache_setcleaninginterval(cleaner->cache,
 				      cleaner->cleaning_interval);
@@ -735,6 +750,17 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	if (cleaner->state == cleaner_s_done) {
 		cleaner->state = cleaner_s_busy;
 		end_cleaning(cleaner, event);
+		LOCK(&cleaner->cache->lock);
+		LOCK(&cleaner->lock);
+		if (cleaner->replaceiterator) {
+			dns_dbiterator_destroy(&cleaner->iterator);
+			(void) dns_db_createiterator(cleaner->cache->db,
+						     ISC_FALSE,
+						     &cleaner->iterator);
+			cleaner->replaceiterator = ISC_FALSE;
+		}
+		UNLOCK(&cleaner->lock);
+		UNLOCK(&cleaner->cache->lock);
 		return;
 	}
 
@@ -774,7 +800,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			 * Either the end was reached (ISC_R_NOMORE) or
 			 * some error was signaled.  If the cache is still
 			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleanng.
+			 * keep trying to clean it, otherwise stop cleaning.
 			 */
 			if (result != ISC_R_NOMORE)
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -982,8 +1008,23 @@ dns_cache_flush(dns_cache_t *cache) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	LOCK(&cache->lock);
+	LOCK(&cache->cleaner.lock);
+	if (cache->cleaner.state == cleaner_s_idle) {
+		if (cache->cleaner.iterator != NULL)
+			dns_dbiterator_destroy(&cache->cleaner.iterator);
+		(void) dns_db_createiterator(db, ISC_FALSE,
+					     &cache->cleaner.iterator);
+	} else {
+		if (cache->cleaner.state == cleaner_s_busy)
+			cache->cleaner.state = cleaner_s_done;
+		cache->cleaner.replaceiterator = ISC_TRUE;
+	}
 	dns_db_detach(&cache->db);
 	cache->db = db;
+	UNLOCK(&cache->cleaner.lock);
+	UNLOCK(&cache->lock);
+
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/contrib/bind-9.3/lib/dns/compress.c b/contrib/bind-9.3/lib/dns/compress.c
index e0fe8c276a..2122436865 100644
--- a/contrib/bind-9.3/lib/dns/compress.c
+++ b/contrib/bind-9.3/lib/dns/compress.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.50.206.2 2004/03/06 08:13:37 marka Exp $ */
+/* $Id: compress.c,v 1.50.206.4 2006/03/02 00:37:20 marka Exp $ */
 
 #define DNS_NAME_USEINLINE 1
 
@@ -111,7 +111,7 @@ do { \
  * If no match is found return ISC_FALSE.
  */
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset)
 {
 	dns_name_t tname, nname;
@@ -161,15 +161,15 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
 }
 
 static inline unsigned int
-name_length(dns_name_t *name) {
+name_length(const dns_name_t *name) {
 	isc_region_t r;
 	dns_name_toregion(name, &r);
 	return (r.length);
 }
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset)
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset)
 {
 	dns_name_t tname;
 	unsigned int start;
diff --git a/contrib/bind-9.3/lib/dns/dispatch.c b/contrib/bind-9.3/lib/dns/dispatch.c
index 8534fe15ad..91ef2c5ee0 100644
--- a/contrib/bind-9.3/lib/dns/dispatch.c
+++ b/contrib/bind-9.3/lib/dns/dispatch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.101.2.6.2.10 2004/09/01 04:27:41 marka Exp $ */
+/* $Id: dispatch.c,v 1.101.2.6.2.13 2006/07/19 00:44:04 marka Exp $ */
 
 #include <config.h>
 
@@ -641,6 +641,50 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) {
 		free_buffer(disp, ev->region.base, ev->region.length);
 		goto unlock;
 	} 
+
+	/*
+	 * Now that we have the original dispatch the query was sent
+	 * from check that the address and port the response was
+	 * sent to make sense.
+	 */
+	if (disp != resp->disp) {
+		isc_sockaddr_t a1;
+		isc_sockaddr_t a2;
+		
+		/*
+		 * Check that the socket types and ports match.
+		 */
+		if (disp->socktype != resp->disp->socktype ||
+		    isc_sockaddr_getport(&disp->local) !=
+		    isc_sockaddr_getport(&resp->disp->local)) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+
+		/*
+		 * If both dispatches are bound to an address then fail as
+		 * the addresses can't be equal (enforced by the IP stack).  
+		 *
+		 * Note under Linux a packet can be sent out via IPv4 socket
+		 * and the response be received via a IPv6 socket.
+		 * 
+		 * Requests sent out via IPv6 should always come back in
+		 * via IPv6.
+		 */
+		if (isc_sockaddr_pf(&resp->disp->local) == PF_INET6 &&
+		    isc_sockaddr_pf(&disp->local) != PF_INET6) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+		isc_sockaddr_anyofpf(&a1, isc_sockaddr_pf(&resp->disp->local));
+		isc_sockaddr_anyofpf(&a2, isc_sockaddr_pf(&disp->local));
+		if (!isc_sockaddr_eqaddr(&a1, &resp->disp->local) &&
+		    !isc_sockaddr_eqaddr(&a2, &disp->local)) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+	}
+
 	queue_response = resp->item_out;
 	rev = allocate_event(resp->disp);
 	if (rev == NULL) {
@@ -1687,6 +1731,11 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 /*
  * mgr should be locked.
  */
+
+#ifndef DNS_DISPATCH_HELD
+#define DNS_DISPATCH_HELD 20U
+#endif
+
 static isc_result_t
 dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		   isc_taskmgr_t *taskmgr,
@@ -1697,7 +1746,9 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
-	isc_socket_t *sock;
+	isc_socket_t *sock = NULL;
+	isc_socket_t *held[DNS_DISPATCH_HELD];
+	unsigned int i = 0, j = 0;
 
 	/*
 	 * dispatch_allocate() checks mgr for us.
@@ -1708,17 +1759,30 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		return (result);
 
 	/*
-	 * This assumes that the IP stack will *not* quickly reallocate
-	 * the same port.  If it does continually reallocate the same port
-	 * then we need a mechanism to hold all the blacklisted sockets
-	 * until we find a usable socket.
+	 * Try to allocate a socket that is not on the blacklist.
+	 * Hold up to DNS_DISPATCH_HELD sockets to prevent the OS
+	 * from returning the same port to us too quickly.
 	 */
+	memset(held, 0, sizeof(held));
  getsocket:
 	result = create_socket(sockmgr, localaddr, &sock);
 	if (result != ISC_R_SUCCESS)
 		goto deallocate_dispatch;
 	if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) {
-		isc_socket_detach(&sock);
+		if (held[i] != NULL)
+			isc_socket_detach(&held[i]);
+		held[i++] = sock;
+		sock = NULL;
+		if (i == DNS_DISPATCH_HELD)
+			i = 0;
+		if (j++ == 0xffffU) {
+			mgr_log(mgr, ISC_LOG_ERROR, "avoid-v%s-udp-ports: "
+				"unable to allocate a non-blacklisted port",
+				isc_sockaddr_pf(localaddr) == AF_INET ?
+					"4" : "6");
+			result = ISC_R_FAILURE;
+			goto deallocate_dispatch;
+		}
 		goto getsocket;
 	}
 
@@ -1755,7 +1819,7 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 
 	*dispp = disp;
 
-	return (ISC_R_SUCCESS);
+	goto cleanheld;
 
 	/*
 	 * Error returns.
@@ -1766,7 +1830,10 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 	isc_socket_detach(&disp->socket);
  deallocate_dispatch:
 	dispatch_free(&disp);
-
+ cleanheld:
+	for (i = 0; i < DNS_DISPATCH_HELD; i++)
+		if (held[i] != NULL)
+			isc_socket_detach(&held[i]);
 	return (result);
 }
 
diff --git a/contrib/bind-9.3/lib/dns/dnssec.c b/contrib/bind-9.3/lib/dns/dnssec.c
index 34ff3d3ace..91f7a99fe9 100644
--- a/contrib/bind-9.3/lib/dns/dnssec.c
+++ b/contrib/bind-9.3/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.69.2.5.2.7 2004/06/11 00:30:54 marka Exp $
+ * $Id: dnssec.c,v 1.69.2.5.2.9 2006/01/04 23:50:20 marka Exp $
  */
 
 
@@ -330,8 +330,7 @@ cleanup_array:
 cleanup_context:
 	dst_context_destroy(&ctx);
 cleanup_databuf:
-	if (databuf != NULL)
-		isc_buffer_free(&databuf);
+	isc_buffer_free(&databuf);
 cleanup_signature:
 	isc_mem_put(mctx, sig.signature, sig.siglen);
 
diff --git a/contrib/bind-9.3/lib/dns/dst_api.c b/contrib/bind-9.3/lib/dns/dst_api.c
index 19f60a27e8..b7b03e6ef2 100644
--- a/contrib/bind-9.3/lib/dns/dst_api.c
+++ b/contrib/bind-9.3/lib/dns/dst_api.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $
+ * $Id: dst_api.c,v 1.1.4.3 2006/01/04 23:50:20 marka Exp $
  */
 
 #include <config.h>
@@ -1027,8 +1027,10 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 	}
 
 	ret = dns_name_print(key->key_name, fp);
-	if (ret != ISC_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS) {
+		fclose(fp);
 		return (ret);
+	}
 
 	fprintf(fp, " ");
 
diff --git a/contrib/bind-9.3/lib/dns/gen-win32.h b/contrib/bind-9.3/lib/dns/gen-win32.h
index d24c92e9ae..cff33b34cf 100644
--- a/contrib/bind-9.3/lib/dns/gen-win32.h
+++ b/contrib/bind-9.3/lib/dns/gen-win32.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.14.12.3 2004/03/08 09:04:30 marka Exp $ */
+/* $Id: gen-win32.h,v 1.14.12.6 2006/10/03 23:50:50 marka Exp $ */
 
 /*
  * Principal Authors: Computer Systems Research Group at UC Berkeley
diff --git a/contrib/bind-9.3/lib/dns/gen.c b/contrib/bind-9.3/lib/dns/gen.c
index 4a6cc0d796..1d83023259 100644
--- a/contrib/bind-9.3/lib/dns/gen.c
+++ b/contrib/bind-9.3/lib/dns/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.65.2.5.2.6 2004/03/15 01:02:54 marka Exp $ */
+/* $Id: gen.c,v 1.65.2.5.2.9 2006/10/02 06:31:26 marka Exp $ */
 
-#include <config.h>
+#ifdef WIN32
+/*
+ * Silence compiler warnings about using strcpy and friends.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
 
 #include <sys/types.h>
 
diff --git a/contrib/bind-9.3/lib/dns/include/dns/acl.h b/contrib/bind-9.3/lib/dns/include/dns/acl.h
index bc723f43bf..ce4c8b6a86 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/acl.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.20.52.3 2004/03/08 09:04:34 marka Exp $ */
+/* $Id: acl.h,v 1.20.52.5 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -104,7 +104,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  */
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
 /*
  * Append an element to an existing ACL.
  */
@@ -128,13 +128,13 @@ void
 dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a);
+dns_acl_isinsecure(const dns_acl_t *a);
 /*
  * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
@@ -154,12 +154,12 @@ void
 dns_aclenv_destroy(dns_aclenv_t *env);
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt);
+	      const dns_aclelement_t **matchelt);
 /*
  * General, low-level ACL matching.  This is expected to
  * be useful even for weird stuff like the topology and sortlist statements.
@@ -185,11 +185,11 @@ dns_acl_match(isc_netaddr_t *reqaddr,
  */
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,		     
-		     dns_aclelement_t **matchelt);
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,		     
+		     const dns_aclelement_t **matchelt);
 /*
  * Like dns_acl_match, but matches against the single ACL element 'e'
  * rather than a complete list and returns ISC_TRUE iff it matched.
@@ -200,9 +200,9 @@ dns_aclelement_match(isc_netaddr_t *reqaddr,
  */
 
 isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt);
+dns_acl_elementmatch(const dns_acl_t *acl,
+		     const dns_aclelement_t *elt,
+		     const dns_aclelement_t **matchelt);
 /*
  * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
  * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
diff --git a/contrib/bind-9.3/lib/dns/include/dns/cache.h b/contrib/bind-9.3/lib/dns/include/dns/cache.h
index 79c53de8f0..4b775c9c14 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/cache.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.12.3 2004/03/08 09:04:34 marka Exp $ */
+/* $Id: cache.h,v 1.17.12.5 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -151,7 +151,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
 
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, char *filename);
+dns_cache_setfilename(dns_cache_t *cahce, const char *filename);
 /*
  * If 'filename' is non-NULL, make the cache persistent.
  * The cache's data will be stored in the given file.
diff --git a/contrib/bind-9.3/lib/dns/include/dns/compress.h b/contrib/bind-9.3/lib/dns/include/dns/compress.h
index 0f6451cc6b..042a4ea51a 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/compress.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.29.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
+/* $Id: compress.h,v 1.29.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -136,7 +136,7 @@ dns_compress_getedns(dns_compress_t *cctx);
  */
 
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset);
 /*
  *	Finds longest possible match of 'name' in the global compression table.
@@ -155,8 +155,8 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
  */
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset);
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset);
 /*
  *	Add compression pointers for 'name' to the compression table,
  *	not replacing existing pointers.
diff --git a/contrib/bind-9.3/lib/dns/include/dns/keytable.h b/contrib/bind-9.3/lib/dns/include/dns/keytable.h
index a07c05201e..f3a21a68b3 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/keytable.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/keytable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.10.206.1 2004/03/06 08:13:56 marka Exp $ */
+/* $Id: keytable.h,v 1.10.206.3 2006/01/06 00:01:42 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -137,7 +137,8 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			 dns_keynode_t **keynodep);
 /*
  * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'.
+ * 'keytable'.  This finds the first instance which matches.  Use
+ * dns_keytable_findnextkeynode() to find other instances.
  *
  * Requires:
  *
@@ -150,6 +151,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
  * Returns:
  *
  *	ISC_R_SUCCESS
+ *	DNS_R_PARTIALMATCH	the name existed in the keytable.
  *	ISC_R_NOTFOUND
  *
  *	Any other result indicates an error.
@@ -160,7 +162,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 		                             dns_keynode_t **nextnodep);
 /*
  * Search for the next key with the same properties as 'keynode' in
- * 'keytable'.
+ * 'keytable' as found by dns_keytable_findkeynode().
  *
  * Requires:
  *
diff --git a/contrib/bind-9.3/lib/dns/include/dns/message.h b/contrib/bind-9.3/lib/dns/include/dns/message.h
index c827322146..960c11aa12 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/message.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/message.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.100.2.3.8.7 2004/03/08 02:08:00 marka Exp $ */
+/* $Id: message.h,v 1.100.2.3.8.10 2006/02/28 06:32:54 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -236,7 +236,7 @@ struct dns_message {
 	isc_region_t			saved;
 
 	dns_rdatasetorderfunc_t		order;
-	void *				order_arg;
+	const void *			order_arg;
 };
 
 /***
@@ -710,6 +710,27 @@ dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
  *	ISC_R_NOTFOUND		-- the desired type does not exist.
  */
 
+isc_result_t
+dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset);
+/*%<
+ * Search the name for the specified rdclass and type.  If it is found,
+ * *rdataset is filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
 void
 dns_message_movename(dns_message_t *msg, dns_name_t *name,
 		     dns_section_t fromsection,
@@ -1260,7 +1281,7 @@ dns_message_getrawmessage(dns_message_t *msg);
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg);
+			 const void *order_arg);
 /*
  * Define the order in which RR sets get rendered by
  * dns_message_rendersection() to be the ascending order
diff --git a/contrib/bind-9.3/lib/dns/include/dns/name.h b/contrib/bind-9.3/lib/dns/include/dns/name.h
index 5f6a3db9c1..ce9e1f1531 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/name.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.95.2.3.2.12 2004/09/08 00:29:34 marka Exp $ */
+/* $Id: name.h,v 1.95.2.3.2.14 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -589,7 +589,7 @@ dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
 
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target);
+dns_name_clone(const dns_name_t *source, dns_name_t *target);
 /*
  * Make 'target' refer to the same name as 'source'.
  *
@@ -703,7 +703,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  */
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target);
 /*
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
@@ -983,7 +984,7 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
  */
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
 /*
  * Make 'target' a dynamically allocated copy of 'source'.
  *
diff --git a/contrib/bind-9.3/lib/dns/include/dns/peer.h b/contrib/bind-9.3/lib/dns/include/dns/peer.h
index 03f720af35..90329646c7 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/peer.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/peer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.16.2.1.10.3 2004/03/06 08:13:58 marka Exp $ */
+/* $Id: peer.h,v 1.16.2.1.10.5 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -167,7 +167,8 @@ isc_result_t
 dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
 
 isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source);
 
 isc_result_t
 dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
diff --git a/contrib/bind-9.3/lib/dns/include/dns/rdataset.h b/contrib/bind-9.3/lib/dns/include/dns/rdataset.h
index d856784c3e..12cfbdeacc 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/rdataset.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/rdataset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.5.2.8 2005/03/17 03:58:31 marka Exp $ */
+/* $Id: rdataset.h,v 1.41.2.5.2.10 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -365,11 +365,11 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int options,
 			  unsigned int *countp);
 /*
@@ -384,11 +384,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int options,
 			   unsigned int *countp,
 			   void **state);
diff --git a/contrib/bind-9.3/lib/dns/include/dns/resolver.h b/contrib/bind-9.3/lib/dns/include/dns/resolver.h
index 0a6080d27a..8e3e63232b 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/resolver.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/resolver.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.34.12.7 2004/04/15 23:56:31 marka Exp $ */
+/* $Id: resolver.h,v 1.34.12.9 2006/02/01 23:48:51 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -136,7 +136,7 @@ dns_resolver_create(dns_view_t *view,
  *
  *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
  *
- *	*resp != NULL && *resp == NULL.
+ *	resp != NULL && *resp == NULL.
  *
  * Returns:
  *
diff --git a/contrib/bind-9.3/lib/dns/include/dns/types.h b/contrib/bind-9.3/lib/dns/include/dns/types.h
index 2bad7ea02c..27995deb27 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/types.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.103.12.7 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: types.h,v 1.103.12.9 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -294,6 +294,6 @@ typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
 typedef int 
-(*dns_rdatasetorderfunc_t)(dns_rdata_t *rdata, void *arg);
+(*dns_rdatasetorderfunc_t)(const dns_rdata_t *rdata, const void *arg);
 
 #endif /* DNS_TYPES_H */
diff --git a/contrib/bind-9.3/lib/dns/include/dns/validator.h b/contrib/bind-9.3/lib/dns/include/dns/validator.h
index 24769f3c88..a0d6acb68c 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/validator.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/validator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.18.12.9 2005/09/06 02:12:41 marka Exp $ */
+/* $Id: validator.h,v 1.18.12.11.6.1 2007/01/11 04:51:39 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -24,27 +24,35 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ *
+ * \brief
  * DNS Validator
+ * This is the BIND 9 validator, the module responsible for validating the
+ * rdatasets and negative responses (messages).  It makes use of zones in
+ * the view and may fetch RRset to complete trust chains.  It implements
+ * DNSSEC as specified in RFC 4033, 4034 and 4035.
+ *
+ * It can also optionally implement ISC's DNSSEC look-aside validation.
  *
- * XXX <TBS> XXX
+ * Correct operation is critical to preventing spoofed answers from secure
+ * zones being accepted.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	RFCs:	1034, 1035, 2181, 2535, <TBS>
- *	Drafts:	<TBS>
+ *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
  */
 
 #include <isc/lang.h>
@@ -58,12 +66,16 @@
 
 #include <dst/dst.h>
 
-/*
+/*%
  * A dns_validatorevent_t is sent when a 'validation' completes.
- *
+ * \brief
  * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
  * supplied when dns_validator_create() was called.  They are returned to the
  * caller so that they may be freed.
+ *
+ * If the RESULT is ISC_R_SUCCESS and the answer is secure then
+ * proofs[] will contain the the names of the NSEC records that hold the
+ * various proofs.  Note the same name may appear multiple times.
  */
 typedef struct dns_validatorevent {
 	ISC_EVENT_COMMON(struct dns_validatorevent);
@@ -81,9 +93,9 @@ typedef struct dns_validatorevent {
 #define DNS_VALIDATOR_NODATAPROOF 1
 #define DNS_VALIDATOR_NOWILDCARDPROOF 2
 
-/*
- * A validator object represents a validation in procgress.
- *
+/*%
+ * A validator object represents a validation in progress.
+ * \brief
  * Clients are strongly discouraged from using this type directly, with
  * the exception of the 'link' field, which may be used directly for
  * whatever purpose the client desires.
@@ -128,7 +140,11 @@ struct dns_validator {
 	unsigned int			depth;
 };
 
-#define DNS_VALIDATOR_DLV 1
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DLV 1U
+#define DNS_VALIDATOR_DEFER 2U
 
 ISC_LANG_BEGINDECLS
 
@@ -138,7 +154,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_message_t *message, unsigned int options,
 		     isc_task_t *task, isc_taskaction_t action, void *arg,
 		     dns_validator_t **validatorp);
-/*
+/*%<
  * Start a DNSSEC validation.
  *
  * This validates a response to the question given by
@@ -163,41 +179,54 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  * arguments must be provided.
  *
  * The validation is performed in the context of 'view'.
- * 'options' must be zero.
  *
  * When the validation finishes, a dns_validatorevent_t with
  * the given 'action' and 'arg' are sent to 'task'.
  * Its 'result' field will be ISC_R_SUCCESS iff the
  * response was successfully proven to be either secure or
  * part of a known insecure domain.
+ *
+ * options:
+ * If DNS_VALIDATOR_DLV is set the caller knows there is not a
+ * trusted key and the validator should immediately attempt to validate
+ * the answer by looking for a appopriate DLV RRset.
+ */
+
+void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ *	'validator' to points to a valid DNSSEC validator.
  */
 
 void
 dns_validator_cancel(dns_validator_t *validator);
-/*
+/*%<
  * Cancel a DNSSEC validation in progress.
  *
  * Requires:
- *	'validator' points to a valid DNSSEC validator, which
+ *\li	'validator' points to a valid DNSSEC validator, which
  *	may or may not already have completed.
  *
  * Ensures:
- *	It the validator has not already sent its completion
+ *\li	It the validator has not already sent its completion
  *	event, it will send it with result code ISC_R_CANCELED.
  */
 
 void
 dns_validator_destroy(dns_validator_t **validatorp);
-/*
+/*%<
  * Destroy a DNSSEC validator.
  *
  * Requires:
- *	'*validatorp' points to a valid DNSSEC validator.
- * 	The validator must have completed and sent its completion
+ *\li	'*validatorp' points to a valid DNSSEC validator.
+ * \li	The validator must have completed and sent its completion
  * 	event.
  *
  * Ensures:
- *	All resources used by the validator are freed.
+ *\li	All resources used by the validator are freed.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind-9.3/lib/dns/include/dns/xfrin.h b/contrib/bind-9.3/lib/dns/include/dns/xfrin.h
index 0050238f94..0f5e086b21 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/xfrin.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/xfrin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.18.136.2 2004/03/06 08:14:01 marka Exp $ */
+/* $Id: xfrin.h,v 1.18.136.4 2006/07/20 01:10:29 marka Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
@@ -75,10 +75,12 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
  * code as arguments when the transfer finishes.
  *
  * Requires:
- *	'xfrtype' is dns_rdatatype_axfr or dns_rdatatype_ixfr.
+ *	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
+ *	or dns_rdatatype_soa (soa query followed by axfr if
+ *	serial is greater than current serial).
  *
- *	If 'xfrtype' is dns_rdatatype_ixfr, the zone has a
- * 	database.
+ *	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
+ *	the zone has a database.
  */
 
 void
diff --git a/contrib/bind-9.3/lib/dns/include/dns/zone.h b/contrib/bind-9.3/lib/dns/include/dns/zone.h
index b7680fa277..4baf36ab36 100644
--- a/contrib/bind-9.3/lib/dns/include/dns/zone.h
+++ b/contrib/bind-9.3/lib/dns/include/dns/zone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.106.2.7.4.15 2004/10/26 02:08:43 marka Exp $ */
+/* $Id: zone.h,v 1.106.2.7.4.18 2006/08/01 03:44:00 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -163,7 +163,7 @@ dns_zone_getview(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
 /*
  *	Sets the zones origin to 'origin'.
  *
@@ -414,11 +414,13 @@ dns_zone_maintenance(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count);
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count);
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count);
 /*
  *	Set the list of master servers for the zone.
  *
@@ -440,7 +442,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
  */
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count);
 /*
  *	Set the list of additional servers to be notified when
@@ -525,9 +527,10 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
  */
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv4 zone transfers.
  *
@@ -552,9 +555,10 @@ dns_zone_getaltxfrsource4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			 const isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv6 zone transfers.
  *
@@ -579,7 +583,7 @@ dns_zone_getaltxfrsource6(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv4 NOTIFY messages.
  *
@@ -602,7 +606,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv6 NOTIFY messages.
  *
@@ -1252,7 +1256,7 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
 void
 dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
 /*
- *	Set the maximum number of simultanious transfers in allowed by
+ *	Set the maximum number of simultaneous transfers in allowed by
  *	the zone manager.
  *
  * Requires:
@@ -1262,7 +1266,7 @@ dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
 isc_uint32_t
 dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
 /*
- *	Return the the maximum number of simultanious transfers in allowed.
+ *	Return the the maximum number of simultaneous transfers in allowed.
  *
  * Requires:
  *	'zmgr' to be a valid zone manager.
diff --git a/contrib/bind-9.3/lib/dns/keytable.c b/contrib/bind-9.3/lib/dns/keytable.c
index 922c09af11..7f3e3cff2b 100644
--- a/contrib/bind-9.3/lib/dns/keytable.c
+++ b/contrib/bind-9.3/lib/dns/keytable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.26.12.3 2004/03/08 09:04:30 marka Exp $ */
+/* $Id: keytable.c,v 1.26.12.5 2006/01/06 00:01:42 marka Exp $ */
 
 #include <config.h>
 
@@ -244,6 +244,13 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 
 	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
 
+	/*
+	 * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
+	 * as that indicates that 'name' was not found.
+	 *
+	 * DNS_R_PARTIALMATCH indicates that the name was found but we
+	 * didn't get a match on algorithm and key id arguments.
+	 */
 	knode = NULL;
 	data = NULL;
 	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
@@ -261,7 +268,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			UNLOCK(&keytable->lock);
 			*keynodep = knode;
 		} else
-			result = ISC_R_NOTFOUND;
+			result = DNS_R_PARTIALMATCH;
 	} else if (result == DNS_R_PARTIALMATCH)
 		result = ISC_R_NOTFOUND;
 
diff --git a/contrib/bind-9.3/lib/dns/lookup.c b/contrib/bind-9.3/lib/dns/lookup.c
index e593c7be7f..1cf572145d 100644
--- a/contrib/bind-9.3/lib/dns/lookup.c
+++ b/contrib/bind-9.3/lib/dns/lookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.9.12.5 2004/04/15 02:10:40 marka Exp $ */
+/* $Id: lookup.c,v 1.9.12.7 2006/01/04 23:50:20 marka Exp $ */
 
 #include <config.h>
 
@@ -154,11 +154,6 @@ build_event(dns_lookup_t *lookup) {
 			dns_rdataset_disassociate(rdataset);
 		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
 	}
-	if (sigrdataset != NULL) {
-		if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		isc_mem_put(lookup->mctx, sigrdataset, sizeof(dns_rdataset_t));
-	}
 	return (result);
 }
 
@@ -229,13 +224,14 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 					send_event = ISC_TRUE;
 				goto done;
 			}
-		} else {
+		} else if (event != NULL) {
 			result = event->result;
 			fname = dns_fixedname_name(&event->foundname);
 			dns_resolver_destroyfetch(&lookup->fetch);
 			INSIST(event->rdataset == &lookup->rdataset);
 			INSIST(event->sigrdataset == &lookup->sigrdataset);
-		}
+		} else
+			fname = NULL;	/* Silence compiler warning. */
 
 		/*
 		 * If we've been canceled, forget about the result.
diff --git a/contrib/bind-9.3/lib/dns/masterdump.c b/contrib/bind-9.3/lib/dns/masterdump.c
index 0225d7243f..0f4716d583 100644
--- a/contrib/bind-9.3/lib/dns/masterdump.c
+++ b/contrib/bind-9.3/lib/dns/masterdump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.56.2.5.2.12 2004/08/28 06:25:19 marka Exp $ */
+/* $Id: masterdump.c,v 1.56.2.5.2.15 2006/03/10 00:17:21 marka Exp $ */
 
 #include <config.h>
 
@@ -1160,7 +1160,8 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 	}
 
 	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
-		dns_dbiterator_pause(dctx->dbiter);
+		result = dns_dbiterator_pause(dctx->dbiter);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		result = DNS_R_CONTINUE;
 	} else if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
@@ -1197,9 +1198,8 @@ dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
 		dns_dumpctx_attach(dctx, dctxp);
 		return (DNS_R_CONTINUE);
 	}
-	if (dctx != NULL)
-		dns_dumpctx_detach(&dctx);
 
+	dns_dumpctx_detach(&dctx);
 	return (result);
 }
 
diff --git a/contrib/bind-9.3/lib/dns/message.c b/contrib/bind-9.3/lib/dns/message.c
index d4b2e1962f..33875433f6 100644
--- a/contrib/bind-9.3/lib/dns/message.c
+++ b/contrib/bind-9.3/lib/dns/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.194.2.10.2.20 2005/06/07 01:42:23 marka Exp $ */
+/* $Id: message.c,v 1.194.2.10.2.24 2006/02/28 06:32:54 marka Exp $ */
 
 /***
  *** Imports
@@ -800,12 +800,38 @@ findname(dns_name_t **foundname, dns_name_t *target,
 	return (ISC_R_NOTFOUND);
 }
 
+isc_result_t
+dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset)
+{
+	dns_rdataset_t *curr;
+
+	if (rdataset != NULL) {
+		REQUIRE(*rdataset == NULL);
+	}
+
+	for (curr = ISC_LIST_TAIL(name->list);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (curr->rdclass == rdclass &&
+		    curr->type == type && curr->covers == covers) {
+			if (rdataset != NULL)
+				*rdataset = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
 isc_result_t
 dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
 {
 	dns_rdataset_t *curr;
 
+	REQUIRE(name != NULL);
 	if (rdataset != NULL) {
 		REQUIRE(*rdataset == NULL);
 	}
@@ -1030,7 +1056,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		/*
 		 * Can't ask the same question twice.
 		 */
-		result = dns_message_findtype(name, rdtype, 0, NULL);
+		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
 		if (result == ISC_R_SUCCESS)
 			DO_FORMERR;
 
@@ -1190,6 +1216,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+		    && msg->rdclass != dns_rdataclass_any
 		    && msg->rdclass != rdclass)
 			DO_FORMERR;
 
@@ -1279,12 +1306,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			rdata->type = rdtype;
 			rdata->flags = DNS_RDATA_UPDATE;
 			result = ISC_R_SUCCESS;
-		} else if (rdtype == dns_rdatatype_tsig)
+		} else
 			result = getrdata(source, msg, dctx, rdclass,
 					  rdtype, rdatalen, rdata);
-		else
-			result = getrdata(source, msg, dctx, msg->rdclass,
-					  rdtype, rdatalen, rdata);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		rdata->rdclass = rdclass;
@@ -1360,8 +1384,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				DO_FORMERR;
 
 			rdataset = NULL;
-			result = dns_message_findtype(name, rdtype, covers,
-						      &rdataset);
+			result = dns_message_find(name, rdclass, rdtype,
+						   covers, &rdataset);
 		}
 
 		/*
@@ -1799,7 +1823,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 		if (rdataset != NULL &&
 		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
 		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			void *order_arg = msg->order_arg;
+			const void *order_arg = msg->order_arg;
 			st = *(msg->buffer);
 			count = 0;
 			if (partial)
@@ -3187,7 +3211,7 @@ dns_message_getrawmessage(dns_message_t *msg) {
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg)
+			 const void *order_arg)
 {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	msg->order = order;
diff --git a/contrib/bind-9.3/lib/dns/name.c b/contrib/bind-9.3/lib/dns/name.c
index 116a56a818..1a257de8e1 100644
--- a/contrib/bind-9.3/lib/dns/name.c
+++ b/contrib/bind-9.3/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.7.2.14 2005/10/14 01:38:48 marka Exp $ */
+/* $Id: name.c,v 1.127.2.7.2.16 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -856,7 +856,7 @@ dns_name_getlabelsequence(const dns_name_t *source,
 }
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target) {
+dns_name_clone(const dns_name_t *source, dns_name_t *target) {
 
 	/*
 	 * Make 'target' refer to the same name as 'source'.
@@ -1748,7 +1748,9 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 }
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target)
+{
 	unsigned int methods;
 	isc_uint16_t offset;
 	dns_name_t gp;	/* Global compression prefix */
@@ -1962,7 +1964,9 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
 }
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target)
+{
 	/*
 	 * Make 'target' a dynamically allocated copy of 'source'.
 	 */
diff --git a/contrib/bind-9.3/lib/dns/openssl_link.c b/contrib/bind-9.3/lib/dns/openssl_link.c
index 62eac05f30..525905c188 100644
--- a/contrib/bind-9.3/lib/dns/openssl_link.c
+++ b/contrib/bind-9.3/lib/dns/openssl_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
+ * $Id: openssl_link.c,v 1.1.4.3 2006/05/23 23:51:03 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -39,7 +39,7 @@
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
 #define USE_ENGINE 1
 #endif
 
@@ -160,7 +160,7 @@ dst__openssl_init() {
 		goto cleanup_rm;
 	}
 	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(e);
+	RAND_set_rand_method(rm);
 #else
 	RAND_set_rand_method(rm);
 #endif
diff --git a/contrib/bind-9.3/lib/dns/openssldh_link.c b/contrib/bind-9.3/lib/dns/openssldh_link.c
index 24255834d7..74ba39af36 100644
--- a/contrib/bind-9.3/lib/dns/openssldh_link.c
+++ b/contrib/bind-9.3/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
+ * $Id: openssldh_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $
  */
 
 #ifdef OPENSSL
@@ -138,6 +138,79 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#ifndef HAVE_DH_GENERATE_PARAMETERS
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+static DH *
+DH_generate_parameters(int prime_len, int generator,
+		       void (*callback)(int,int,void *), void *cb_arg)
+{
+        BN_GENCB cb;
+        DH *dh = NULL;
+
+	dh = DH_new();
+	if (dh != NULL) {
+		BN_GENCB_set_old(&cb, callback, cb_arg);
+
+		if (DH_generate_parameters_ex(dh, prime_len, generator, &cb))
+			return (dh);
+		DH_free(dh);
+	}
+        return (NULL);
+}
+#endif
+
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator) {
 	DH *dh = NULL;
diff --git a/contrib/bind-9.3/lib/dns/openssldsa_link.c b/contrib/bind-9.3/lib/dns/openssldsa_link.c
index ac84a6565b..267bfe8d13 100644
--- a/contrib/bind-9.3/lib/dns/openssldsa_link.c
+++ b/contrib/bind-9.3/lib/dns/openssldsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifdef OPENSSL
 
@@ -169,6 +169,83 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#ifndef HAVE_DSA_GENERATE_PARAMETERS
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+static DSA *
+DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
+			int *counter_ret, unsigned long *h_ret,
+			void (*callback)(int, int, void *),
+			void *cb_arg)
+{
+        BN_GENCB cb;
+        DSA *dsa;
+ 
+        dsa = DSA_new();
+	if (dsa != NULL) {
+ 
+		BN_GENCB_set_old(&cb, callback, cb_arg);
+  
+		if (DSA_generate_parameters_ex(dsa, bits, seed_in, seed_len,  
+					       counter_ret, h_ret, &cb))
+			return (dsa);
+		DSA_free(dsa);
+	}
+        return (NULL);
+}
+#endif
+
 static isc_result_t
 openssldsa_generate(dst_key_t *key, int unused) {
 	DSA *dsa;
diff --git a/contrib/bind-9.3/lib/dns/opensslrsa_link.c b/contrib/bind-9.3/lib/dns/opensslrsa_link.c
index 0d4426bfab..c33913ce3d 100644
--- a/contrib/bind-9.3/lib/dns/opensslrsa_link.c
+++ b/contrib/bind-9.3/lib/dns/opensslrsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.1.4.9 2006/11/07 21:28:40 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -39,6 +39,22 @@
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+#include <openssl/bn.h>
+#endif
+
+/*
+ * We don't use configure for windows so enforce the OpenSSL version
+ * here.  Unlike with configure we don't support overriding this test.
+ */
+#ifdef WIN32
+#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
+       OPENSSL_VERSION_NUMBER < 0x00908000L) || \
+      OPENSSL_VERSION_NUMBER >= 0x0090804fL) 
+#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
+#endif
+#endif
+
 
 	/*
 	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
@@ -68,6 +84,12 @@
 	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
 	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
 	} while (0)
+#elif defined(RSA_FLAG_NO_BLINDING)
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+		(rsa)->flags |= RSA_FLAG_NO_BLINDING; \
+	} while (0)
 #else
 #define SET_FLAGS(rsa) \
 	do { \
@@ -87,12 +109,16 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		isc_md5_t *md5ctx;
 
 		md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
+		if (md5ctx == NULL)
+			return (ISC_R_NOMEMORY);
 		isc_md5_init(md5ctx);
 		dctx->opaque = md5ctx;
 	} else {
 		isc_sha1_t *sha1ctx;
 
 		sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+		if (sha1ctx == NULL)
+			return (ISC_R_NOMEMORY);
 		isc_sha1_init(sha1ctx);
 		dctx->opaque = sha1ctx;
 	}
@@ -260,20 +286,55 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 
 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB cb;
+	RSA *rsa = RSA_new();
+	BIGNUM *e = BN_new();
+
+	if (rsa == NULL || e == NULL)
+		goto err;
+
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 16);
+	} else {
+		/* F5 0x100000001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 32);
+	}
+
+	BN_GENCB_set_old(&cb, NULL, NULL);
+
+	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
+		BN_free(e);
+		SET_FLAGS(rsa);
+		key->opaque = rsa;
+		return (ISC_R_SUCCESS);
+	}
+
+err:
+	if (e != NULL)
+		BN_free(e);
+	if (rsa != NULL)
+		RSA_free(rsa);
+	return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
 	RSA *rsa;
 	unsigned long e;
 
 	if (exp == 0)
-		e = RSA_3;
+	       e = RSA_F4;
 	else
-		e = RSA_F4;
+	       e = 0x40000003;
 	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
 	if (rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	       return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	SET_FLAGS(rsa);
 	key->opaque = rsa;
 
 	return (ISC_R_SUCCESS);
+#endif
 }
 
 static isc_boolean_t
diff --git a/contrib/bind-9.3/lib/dns/peer.c b/contrib/bind-9.3/lib/dns/peer.c
index a50ff0c9ab..8b6ccdb2be 100644
--- a/contrib/bind-9.3/lib/dns/peer.c
+++ b/contrib/bind-9.3/lib/dns/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.14.2.1.10.4 2004/03/06 08:13:41 marka Exp $ */
+/* $Id: peer.c,v 1.14.2.1.10.6 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -491,7 +491,9 @@ dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
 }
 
 isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source)
+{
 	REQUIRE(DNS_PEER_VALID(peer));
 
 	if (peer->transfer_source != NULL) {
diff --git a/contrib/bind-9.3/lib/dns/portlist.c b/contrib/bind-9.3/lib/dns/portlist.c
index 64546e374b..f65910bbea 100644
--- a/contrib/bind-9.3/lib/dns/portlist.c
+++ b/contrib/bind-9.3/lib/dns/portlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.c,v 1.3.72.4 2004/03/16 05:50:21 marka Exp $ */
+/* $Id: portlist.c,v 1.3.72.6 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <stdlib.h>
 
diff --git a/contrib/bind-9.3/lib/dns/rbtdb.c b/contrib/bind-9.3/lib/dns/rbtdb.c
index f399dd17bc..8930d355fd 100644
--- a/contrib/bind-9.3/lib/dns/rbtdb.c
+++ b/contrib/bind-9.3/lib/dns/rbtdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.168.2.11.2.22 2005/10/14 01:38:48 marka Exp $ */
+/* $Id: rbtdb.c,v 1.168.2.11.2.26 2006/03/02 23:18:20 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -1011,6 +1011,47 @@ cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
 	}
 }
 
+static isc_boolean_t
+iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
+	dns_rdataset_t keyset;
+	dns_rdataset_t nsecset, signsecset;
+	isc_boolean_t haszonekey = ISC_FALSE;
+	isc_boolean_t hasnsec = ISC_FALSE;
+	isc_result_t result;
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
+				     0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_t keyrdata = DNS_RDATA_INIT;
+		result = dns_rdataset_first(&keyset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&keyset, &keyrdata);
+			if (dns_zonekey_iszonekey(&keyrdata)) {
+				haszonekey = ISC_TRUE;
+				break;
+			}
+			result = dns_rdataset_next(&keyset);
+		}
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (!haszonekey)
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&signsecset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
+				     0, &nsecset, &signsecset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&signsecset)) {
+			hasnsec = ISC_TRUE;
+			dns_rdataset_disassociate(&signsecset);
+		}
+		dns_rdataset_disassociate(&nsecset);
+	}
+	return (hasnsec);
+}
+
 static void
 closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
@@ -1136,6 +1177,12 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	least_serial = rbtdb->least_serial;
 	UNLOCK(&rbtdb->lock);
 
+	/*
+	 * Update the zone's secure status.
+	 */
+	if (version->writer && commit && !IS_CACHE(rbtdb))
+		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+
 	if (cleanup_version != NULL) {
 		INSIST(EMPTY(cleanup_version->changed_list));
 		isc_mem_put(rbtdb->common.mctx, cleanup_version,
@@ -2184,12 +2231,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	/*
 	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC 2535, section 2.3.5).
+	 * (RFC4035, section 2.5 and RFC3007).
 	 *
 	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -2247,9 +2294,15 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				search.need_cleanup = ISC_TRUE;
 				maybe_zonecut = ISC_FALSE;
 				at_zonecut = ISC_TRUE;
+				/*
+				 * It is not clear if KEY should still be
+				 * allowed at the parent side of the zone
+				 * cut or not.  It is needed for RFC3007
+				 * validated updates.
+				 */
 				if ((search.options & DNS_DBFIND_GLUEOK) == 0
 				    && type != dns_rdatatype_nsec
-				    && type != dns_rdatatype_dnskey) {
+				    && type != dns_rdatatype_key) {
 					/*
 					 * Glue is not OK, but any answer we
 					 * could return would be glue.  Return
@@ -2430,8 +2483,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * and the type is NSEC or KEY.
 		 */
 		if (search.zonecut == node) {
+			/*
+			 * It is not clear if KEY should still be
+			 * allowed at the parent side of the zone
+			 * cut or not.  It is needed for RFC3007
+			 * validated updates.
+			 */
 			if (type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_dnskey)
+			    type == dns_rdatatype_key)
 				result = ISC_R_SUCCESS;
 			else if (type == dns_rdatatype_any)
 				result = DNS_R_ZONECUT;
@@ -2860,7 +2919,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rbtdb_rdatatype_t sigtype, nsectype;
+	rbtdb_rdatatype_t sigtype, negtype;
 
 	UNUSED(version);
 
@@ -2918,12 +2977,12 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	/*
 	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC 2535, section 2.3.5).
+	 * (RFC4035, section 2.5 and RFC3007).
 	 *
 	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -2935,7 +2994,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	nsheader = NULL;
 	nssig = NULL;
 	cnamesig = NULL;
@@ -3007,7 +3066,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 */
 				foundsig = header;
 			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == nsectype) {
+				   header->type == negtype) {
 				/*
 				 * We've found a negative cache entry.
 				 */
@@ -3618,7 +3677,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
 	isc_result_t result;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
@@ -3636,7 +3695,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	if (covers == 0)
 		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
 	else
@@ -3659,7 +3718,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			if (header->type == matchtype)
 				found = header;
 			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == nsectype)
+				 header->type == negtype)
 				found = header;
 			else if (header->type == sigmatchtype)
 				foundsig = header;
@@ -3785,16 +3844,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 			 * Look for active extant "other data".
 			 *
 			 * "Other data" is any rdataset whose type is not
-			 * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
-			 * or RRSIG CNAME.
+			 * KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME.
 			 */
 			rdtype = RBTDB_RDATATYPE_BASE(header->type);
 			if (rdtype == dns_rdatatype_rrsig ||
 			    rdtype == dns_rdatatype_sig)
 				rdtype = RBTDB_RDATATYPE_EXT(header->type);
 			if (rdtype != dns_rdatatype_nsec &&
-			    rdtype != dns_rdatatype_dnskey &&
-			    rdtype != dns_rdatatype_nxt &&
 			    rdtype != dns_rdatatype_key &&
 			    rdtype != dns_rdatatype_cname) {
 				/*
@@ -3839,7 +3895,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	isc_boolean_t header_nx;
 	isc_boolean_t newheader_nx;
 	isc_boolean_t merge;
-	dns_rdatatype_t nsectype, rdtype, covers;
+	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t negtype;
 	dns_trust_t trust;
 
 	/*
@@ -3877,7 +3934,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
 	topheader_prev = NULL;
 
-	nsectype = 0;
+	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
 		if (rdtype == 0) {
@@ -3887,12 +3944,13 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
 			if (covers == dns_rdatatype_any) {
 				/*
-				 * We're adding an NXDOMAIN negative cache
-				 * entry.
+				 * We're adding an negative cache entry
+				 * which covers all types (NXDOMAIN,
+				 * NODATA(QTYPE=ANY)).
 				 *
 				 * We make all other data stale so that the
 				 * only rdataset that can be found at this
-				 * node is the NXDOMAIN negative cache entry.
+				 * node is the negative cache entry.
 				 */
 				for (topheader = rbtnode->data;
 				     topheader != NULL;
@@ -3904,17 +3962,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				rbtnode->dirty = 1;
 				goto find_header;
 			}
-			nsectype = RBTDB_RDATATYPE_VALUE(covers, 0);
+			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
 		} else {
 			/*
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN negative cache entry.
+			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
+			 * cache entry.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (NXDOMAIN(topheader))
+				if (topheader->type == 
+				    RBTDB_RDATATYPE_NCACHEANY)
 					break;
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
@@ -3924,7 +3984,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 */
 				if (trust < topheader->trust) {
 					/*
-					 * The NXDOMAIN is more trusted.
+					 * The NXDOMAIN/NODATA(QTYPE=ANY)
+					 * is more trusted.
 					 */
 					free_rdataset(rbtdb->common.mctx,
 						      newheader);
@@ -3936,7 +3997,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN.
+				 * NXDOMAIN/NODATA(QTYPE=ANY).
 				 */
 				topheader->ttl = 0;
 				topheader->attributes |= RDATASET_ATTR_STALE;
@@ -3944,7 +4005,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				topheader = NULL;
 				goto find_header;
 			}
-			nsectype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 		}
 	}
 
@@ -3952,7 +4013,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	     topheader != NULL;
 	     topheader = topheader->next) {
 		if (topheader->type == newheader->type ||
-		    topheader->type == nsectype)
+		    topheader->type == negtype)
 			break;
 		topheader_prev = topheader;
 	}
@@ -4118,6 +4179,10 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			rbtnode->dirty = 1;
 			if (changed != NULL)
 				changed->dirty = ISC_TRUE;
+			if (rbtversion == NULL) {
+				header->ttl = 0;
+				header->attributes |= RDATASET_ATTR_STALE;
+			}
 		}
 	} else {
 		/*
@@ -4318,6 +4383,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	if (delegating)
 		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is defered until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+
 	return (result);
 }
 
@@ -4460,6 +4532,13 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  unlock:
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is defered until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+
 	return (result);
 }
 
@@ -4501,6 +4580,13 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is defered until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+
 	return (result);
 }
 
@@ -4615,48 +4701,6 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 	return (ISC_R_SUCCESS);
 }
 
-static isc_boolean_t
-iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
-	dns_rdataset_t keyset;
-	dns_rdataset_t nsecset, signsecset;
-	isc_boolean_t haszonekey = ISC_FALSE;
-	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_result_t result;
-
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
-				     0, &keyset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdata_t keyrdata = DNS_RDATA_INIT;
-		result = dns_rdataset_first(&keyset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&keyset, &keyrdata);
-			if (dns_zonekey_iszonekey(&keyrdata)) {
-				haszonekey = ISC_TRUE;
-				break;
-			}
-			result = dns_rdataset_next(&keyset);
-		}
-		dns_rdataset_disassociate(&keyset);
-	}
-	if (!haszonekey)
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nsecset);
-	dns_rdataset_init(&signsecset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
-				     0, &nsecset, &signsecset);
-	if (result == ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(&signsecset)) {
-			hasnsec = ISC_TRUE;
-			dns_rdataset_disassociate(&signsecset);
-		}
-		dns_rdataset_disassociate(&nsecset);
-	}
-	return (hasnsec);
-
-}
-
 static isc_result_t
 endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 	rbtdb_load_t *loadctx;
@@ -5235,7 +5279,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	rdatasetheader_t *header, *top_next;
 	rbtdb_serial_t serial;
 	isc_stdtime_t now;
-	rbtdb_rdatatype_t type;
+	rbtdb_rdatatype_t type, negtype;
+	dns_rdatatype_t rdtype, covers;
 
 	header = rbtiterator->current;
 	if (header == NULL)
@@ -5252,9 +5297,18 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	type = header->type;
+	rdtype = RBTDB_RDATATYPE_BASE(header->type);
+	if (rdtype == 0) {
+		covers = RBTDB_RDATATYPE_EXT(header->type);
+		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+	} else 
+		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 	for (header = header->next; header != NULL; header = top_next) {
 		top_next = header->next;
-		if (header->type != type) {
+		/*
+		 * If not walking back up the down list.
+		 */
+		if (header->type != type && header->type != negtype) {
 			do {
 				if (header->serial <= serial &&
 				    !IGNORE(header)) {
diff --git a/contrib/bind-9.3/lib/dns/rdata.c b/contrib/bind-9.3/lib/dns/rdata.c
index 1b3f2a51c1..bcd0e15005 100644
--- a/contrib/bind-9.3/lib/dns/rdata.c
+++ b/contrib/bind-9.3/lib/dns/rdata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.147.2.11.2.20 2005/07/22 05:27:52 marka Exp $ */
+/* $Id: rdata.c,v 1.147.2.11.2.22 2006/07/21 02:05:56 marka Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -1266,7 +1266,7 @@ hexvalue(char value) {
 		return (-1);
 	if (isupper(c))
 		c = tolower(c);
-	if ((s = strchr(hexdigits, value)) == NULL)
+	if ((s = strchr(hexdigits, c)) == NULL)
 		return (-1);
 	return (s - hexdigits);
 }
diff --git a/contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.c b/contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.c
new file mode 100644
index 0000000000..b28435c8bd
--- /dev/null
+++ b/contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.c
@@ -0,0 +1,281 @@
+/*
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_32769.c,v 1.2.4.2 2006/02/19 06:50:46 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DLV_32769_C
+#define RDATA_GENERIC_DLV_32769_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 32769);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 32769);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 32769);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 32769);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dlv(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 32769);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(type == 32769);
+	REQUIRE(source != NULL);
+	REQUIRE(dlv->common.rdtype == type);
+	REQUIRE(dlv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(dlv->key_tag, target));
+	RETERR(uint8_tobuffer(dlv->algorithm, target));
+	RETERR(uint8_tobuffer(dlv->digest_type, target));
+
+	return (mem_tobuffer(target, dlv->digest, dlv->length));
+}
+
+static inline isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+	dns_rdata_dlv_t *dlv = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 32769);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dlv->common.rdclass = rdata->rdclass;
+	dlv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dlv->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dlv->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dlv->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->length = region.length;
+
+	dlv->digest = mem_maybedup(mctx, region.base, region.length);
+	if (dlv->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dlv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dlv(ARGS_FREESTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(dlv != NULL);
+	REQUIRE(dlv->common.rdtype == 32769);
+
+	if (dlv->mctx == NULL)
+		return;
+
+	if (dlv->digest != NULL)
+		isc_mem_free(dlv->mctx, dlv->digest);
+	dlv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 32769);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dlv(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 32769);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dlv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 32769);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dlv(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 32769);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DLV_32769_C */
diff --git a/contrib/bind-9.3/lib/isc/nothreads/mutex.c b/contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.h
similarity index 59%
copy from contrib/bind-9.3/lib/isc/nothreads/mutex.c
copy to contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.h
index cc7572a697..08a9b1d4aa 100644
--- a/contrib/bind-9.3/lib/isc/nothreads/mutex.c
+++ b/contrib/bind-9.3/lib/dns/rdata/generic/dlv_32769.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,9 +14,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
+/* $Id: dlv_32769.h,v 1.2.4.2 2006/02/19 06:50:46 marka Exp $ */
 
-#include <isc/util.h>
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_32769_H
+#define GENERIC_DLV_32769_H 1
 
-EMPTY_TRANSLATION_UNIT
+typedef struct dns_rdata_dlv {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_dlv_t;
 
+#endif /* GENERIC_DLV_32769_H */
diff --git a/contrib/bind-9.3/lib/dns/rdataset.c b/contrib/bind-9.3/lib/dns/rdataset.c
index 672777b02f..8af71c3f8d 100644
--- a/contrib/bind-9.3/lib/dns/rdataset.c
+++ b/contrib/bind-9.3/lib/dns/rdataset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.2.2.10 2004/03/08 09:04:31 marka Exp $ */
+/* $Id: rdataset.c,v 1.58.2.2.2.12 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -280,9 +280,9 @@ towire_compare(const void *av, const void *bv) {
 }
 
 static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, void *order_arg,
+	     dns_rdatasetorderfunc_t order, const void *order_arg,
 	     isc_boolean_t partial, unsigned int options,
 	     unsigned int *countp, void **state)
 {
@@ -528,11 +528,11 @@ towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int options,
 			  unsigned int *countp)
 {
@@ -543,11 +543,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int options,
 			   unsigned int *countp,
 			   void **state)
diff --git a/contrib/bind-9.3/lib/dns/request.c b/contrib/bind-9.3/lib/dns/request.c
index 3ec845f80d..c325fd4c28 100644
--- a/contrib/bind-9.3/lib/dns/request.c
+++ b/contrib/bind-9.3/lib/dns/request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.64.2.1.10.6 2004/03/08 09:04:31 marka Exp $ */
+/* $Id: request.c,v 1.64.2.1.10.9 2006/08/21 00:50:48 marka Exp $ */
 
 #include <config.h>
 
@@ -512,6 +512,7 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 				   isc_sockettype_tcp, &socket);
 	if (result != ISC_R_SUCCESS)
 		return (result);
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	if (srcaddr == NULL) {
 		isc_sockaddr_anyofpf(&bind_any,
 				     isc_sockaddr_pf(destaddr));
@@ -523,6 +524,7 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 	}
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
+#endif
 	attrs = 0;
 	attrs |= DNS_DISPATCHATTR_TCP;
 	attrs |= DNS_DISPATCHATTR_PRIVATE;
@@ -701,6 +703,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		if (udptimeout == 0)
 			udptimeout = 1;
 	}
+	request->udpcount = udpretries;
 
 	/*
 	 * Create timer now.  We will set it below once.
@@ -898,6 +901,7 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		if (udptimeout == 0)
 			udptimeout = 1;
 	}
+	request->udpcount = udpretries;
 
 	/*
 	 * Create timer now.  We will set it below once.
diff --git a/contrib/bind-9.3/lib/dns/resolver.c b/contrib/bind-9.3/lib/dns/resolver.c
index 28779645a5..a56fecfd3c 100644
--- a/contrib/bind-9.3/lib/dns/resolver.c
+++ b/contrib/bind-9.3/lib/dns/resolver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.64.4.2 2007/01/11 05:05:10 marka Exp $ */
 
 #include <config.h>
 
@@ -27,8 +27,10 @@
 
 #include <dns/acl.h>
 #include <dns/adb.h>
+#include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
+#include <dns/ds.h>
 #include <dns/events.h>
 #include <dns/forward.h>
 #include <dns/keytable.h>
@@ -47,6 +49,7 @@
 #include <dns/rdatatype.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
+#include <dns/rootns.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
 
@@ -215,6 +218,11 @@ struct fetchctx {
 	dns_name_t 			nsname; 
 	dns_fetch_t *			nsfetch;
 	dns_rdataset_t			nsrrset;
+
+	/*%
+	 * Number of queries that reference this context.
+	 */
+	unsigned int			nqueries;
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
@@ -348,6 +356,7 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_rdataset_t *ardataset,
 				      isc_result_t *eresultp);
 static void validated(isc_task_t *task, isc_event_t *event); 
+static void maybe_destroy(fetchctx_t *fctx);
 
 static isc_result_t
 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
@@ -366,6 +375,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 	valarg->fctx = fctx;
 	valarg->addrinfo = addrinfo;
 
+	if (!ISC_LIST_EMPTY(fctx->validators))
+		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, fctx->rmessage,
 				      valoptions, task, validated, valarg,
@@ -461,8 +473,7 @@ fctx_starttimer(fetchctx_t *fctx) {
 	 * no further idle events are delivered.
 	 */
 	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, NULL,
-				ISC_TRUE));
+				&fctx->expires, NULL, ISC_TRUE));
 }
 
 static inline void
@@ -513,6 +524,9 @@ resquery_destroy(resquery_t **queryp) {
 
 	INSIST(query->tcpsocket == NULL);
 
+	query->fctx->nqueries--;
+	if (SHUTTINGDOWN(query->fctx))
+		maybe_destroy(query->fctx);	/* Locks bucket. */
 	query->magic = 0;
 	isc_mem_put(query->mctx, query, sizeof(*query));
 	*queryp = NULL;
@@ -971,6 +985,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	INSIST(ISC_LIST_EMPTY(fctx->validators));
+
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
 	query = isc_mem_get(res->mctx, sizeof(*query));
@@ -1028,9 +1044,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_query;
 
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 		result = isc_socket_bind(query->tcpsocket, &addr);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_socket;
+#endif
 
 		/*
 		 * A dispatch will be created once the connect succeeds.
@@ -1084,6 +1102,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	}
 
 	ISC_LIST_APPEND(fctx->queries, query, link);
+	query->fctx->nqueries++;
 
 	return (ISC_R_SUCCESS);
 
@@ -1287,6 +1306,12 @@ resquery_send(resquery_t *query) {
 		goto cleanup_message;
 	}
 
+	/*
+	 * Clear CD if EDNS is not in use.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
+		fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
+
 	/*
 	 * Add TSIG record tailored to the current recipient.
 	 */
@@ -1530,7 +1555,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 			want_done = ISC_TRUE;
 		}
 	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
-		   ISC_LIST_EMPTY(fctx->validators)) {
+		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
 		bucketnum = fctx->bucketnum;
 		LOCK(&res->buckets[bucketnum].lock);
 		/*
@@ -2384,8 +2409,8 @@ fctx_destroy(fetchctx_t *fctx) {
 	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
 	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
 	REQUIRE(fctx->pending == 0);
-	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
 	REQUIRE(fctx->references == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
 
 	FCTXTRACE("destroy");
 
@@ -2559,7 +2584,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (fctx->references == 0 && fctx->pending == 0 &&
-	    ISC_LIST_EMPTY(fctx->validators))
+	    fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
 		bucket_empty = fctx_destroy(fctx);
 
 	UNLOCK(&res->buckets[bucketnum].lock);
@@ -2600,6 +2625,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 		 * pending ADB finds and no pending validations.
 		 */
 		INSIST(fctx->pending == 0);
+		INSIST(fctx->nqueries == 0);
 		INSIST(ISC_LIST_EMPTY(fctx->validators));
 		if (fctx->references == 0) {
 			/*
@@ -2761,6 +2787,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->timeouts = 0;
 	fctx->attributes = 0;
+	fctx->nqueries = 0;
 
 	dns_name_init(&fctx->nsname, NULL);
 	fctx->nsfetch = NULL;
@@ -3083,12 +3110,21 @@ maybe_destroy(fetchctx_t *fctx) {
 	unsigned int bucketnum;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res = fctx->res;
+	dns_validator_t *validator;
 
 	REQUIRE(SHUTTINGDOWN(fctx));
 
-	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+	if (fctx->pending != 0 || fctx->nqueries != 0)
 		return;
 
+	for (validator = ISC_LIST_HEAD(fctx->validators);
+	     validator != NULL;
+	     validator = ISC_LIST_HEAD(fctx->validators)) {
+		ISC_LIST_UNLINK(fctx->validators, validator, link);
+		dns_validator_cancel(validator);
+		dns_validator_destroy(&validator);
+	}
+
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 	if (fctx->references == 0)
@@ -3156,10 +3192,12 @@ validated(isc_task_t *task, isc_event_t *event) {
 	 * so, destroy the fctx.
 	 */
 	if (SHUTTINGDOWN(fctx) && !sentresponse) {
-		maybe_destroy(fctx);
+		maybe_destroy(fctx);	/* Locks bucket. */
 		goto cleanup_event;
 	}
 
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
 	/*
 	 * If chaining, we need to make sure that the right result code is
 	 * returned, and that the rdatasets are bound.
@@ -3219,10 +3257,13 @@ validated(isc_task_t *task, isc_event_t *event) {
 		result = vevent->result;
 		add_bad(fctx, &addrinfo->sockaddr, result);
 		isc_event_free(&event);
-		if (sentresponse)
-			fctx_done(fctx, result);
+		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		if (!ISC_LIST_EMPTY(fctx->validators))
+			dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+		else if (sentresponse)
+			fctx_done(fctx, result);	/* Locks bucket. */
 		else
-			fctx_try(fctx);
+			fctx_try(fctx);			/* Locks bucket. */
 		return;
 	}
 
@@ -3267,6 +3308,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		result = dns_rdataset_addnoqname(vevent->rdataset,
 				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		INSIST(vevent->sigrdataset != NULL);
 		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
 	}
 
@@ -3299,9 +3341,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 * If we only deferred the destroy because we wanted to cache
 		 * the data, destroy now.
 		 */
+		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		if (SHUTTINGDOWN(fctx))
-			maybe_destroy(fctx);
-
+			maybe_destroy(fctx);	/* Locks bucket. */
 		goto cleanup_event;
 	}
 
@@ -3315,6 +3357,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 * more rdatasets that still need to
 		 * be validated.
 		 */
+		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
 		goto cleanup_event;
 	}
 
@@ -3387,7 +3431,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 	if (node != NULL)
 		dns_db_detachnode(fctx->cache, &node);
 
-	fctx_done(fctx, result);
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	fctx_done(fctx, result);	/* Locks bucket. */
 
  cleanup_event:
 	isc_event_free(&event);
@@ -3623,6 +3669,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 							   rdataset,
 							   sigrdataset,
 							   valoptions, task);
+					/*
+					 * Defer any further validations.
+					 * This prevents multiple validators
+					 * from manipulating fctx->rmessage
+					 * simultaniously.
+					 */
+					valoptions |= DNS_VALIDATOR_DEFER;
 				}
 			} else if (CHAINING(rdataset)) {
 				if (rdataset->type == dns_rdatatype_cname)
@@ -4921,6 +4974,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		fctx_try(fctx);
 	} else {
 		unsigned int n;
+		dns_rdataset_t *nsrdataset = NULL;
 
 		/*
 		 * Retrieve state from fctx->nsfetch before we destroy it.
@@ -4928,13 +4982,20 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		dns_fixedname_init(&fixed);
 		domain = dns_fixedname_name(&fixed);
 		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
-		dns_rdataset_clone(&fctx->nsfetch->private->nameservers,
-				   &nameservers);
-		dns_resolver_destroyfetch(&fctx->nsfetch);
 		if (dns_name_equal(&fctx->nsname, domain)) {
 			fctx_done(fctx, DNS_R_SERVFAIL);
+			dns_resolver_destroyfetch(&fctx->nsfetch);
 			goto cleanup;
 		}
+		if (dns_rdataset_isassociated(
+		    &fctx->nsfetch->private->nameservers)) {
+			dns_rdataset_clone(
+			    &fctx->nsfetch->private->nameservers,
+			    &nameservers);
+			nsrdataset = &nameservers;
+		} else
+			domain = NULL;
+		dns_resolver_destroyfetch(&fctx->nsfetch);
 		n = dns_name_countlabels(&fctx->nsname);
 		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
 					  &fctx->nsname);
@@ -4944,7 +5005,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		FCTXTRACE("continuing to look for parent's NS records");
 		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
 						  dns_rdatatype_ns, domain,
-						  &nameservers, NULL, 0, task,
+						  nsrdataset, NULL, 0, task,
 						  resume_dslookup, fctx,
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
@@ -6346,7 +6407,8 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 		/*
 		 * No one cares about the result of this fetch anymore.
 		 */
-		if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
+		if (fctx->pending == 0 && fctx->nqueries == 0 &&
+		    ISC_LIST_EMPTY(fctx->validators) &&
 		    SHUTTINGDOWN(fctx)) {
 			/*
 			 * This fctx is already shutdown; we were just
diff --git a/contrib/bind-9.3/lib/dns/tcpmsg.c b/contrib/bind-9.3/lib/dns/tcpmsg.c
index 4400a3a58f..a0fddcde12 100644
--- a/contrib/bind-9.3/lib/dns/tcpmsg.c
+++ b/contrib/bind-9.3/lib/dns/tcpmsg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.24.206.1 2004/03/06 08:13:46 marka Exp $ */
+/* $Id: tcpmsg.c,v 1.24.206.3 2006/08/10 23:59:28 marka Exp $ */
 
 #include <config.h>
 
@@ -52,6 +52,7 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) {
 	INSIST(VALID_TCPMSG(tcpmsg));
 
 	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
 
 	if (ev->result != ISC_R_SUCCESS) {
 		tcpmsg->result = ev->result;
@@ -108,6 +109,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) {
 	INSIST(VALID_TCPMSG(tcpmsg));
 
 	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
 
 	if (ev->result != ISC_R_SUCCESS) {
 		tcpmsg->result = ev->result;
@@ -116,7 +118,6 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) {
 
 	tcpmsg->result = ISC_R_SUCCESS;
 	isc_buffer_add(&tcpmsg->buffer, ev->n);
-	tcpmsg->address = ev->address;
 
 	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
 
diff --git a/contrib/bind-9.3/lib/dns/tkey.c b/contrib/bind-9.3/lib/dns/tkey.c
index 43c8db0e57..ca793d2b94 100644
--- a/contrib/bind-9.3/lib/dns/tkey.c
+++ b/contrib/bind-9.3/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.71.2.1.10.7 2005/06/12 00:02:26 marka Exp $
+ * $Id: tkey.c,v 1.71.2.1.10.9 2006/01/04 23:50:20 marka Exp $
  */
 
 #include <config.h>
@@ -441,15 +441,17 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 					   dstkey, ISC_TRUE, signer,
 					   tkeyin->inception, tkeyin->expire,
 					   msg->mctx, ring, NULL);
+#if 1
 	if (result != ISC_R_SUCCESS)
 		goto failure;
-
+#else
 	if (result == ISC_R_NOTFOUND) {
 		tkeyout->error = dns_tsigerror_badalg;
 		return (ISC_R_SUCCESS);
 	}
 	if (result != ISC_R_SUCCESS)
 		goto failure;
+#endif
 
 	/* This key is good for a long time */
 	isc_stdtime_get(&now);
diff --git a/contrib/bind-9.3/lib/dns/tsig.c b/contrib/bind-9.3/lib/dns/tsig.c
index 6a8d774a27..9bdde06eb1 100644
--- a/contrib/bind-9.3/lib/dns/tsig.c
+++ b/contrib/bind-9.3/lib/dns/tsig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.112.2.3.8.6 2005/03/17 03:58:31 marka Exp $
+ * $Id: tsig.c,v 1.112.2.3.8.10 2006/05/02 04:21:42 marka Exp $
  */
 
 #include <config.h>
@@ -363,7 +363,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	isc_buffer_t databuf, sigbuf;
 	isc_buffer_t *dynbuf;
 	dns_name_t *owner;
-	dns_rdata_t *rdata;
+	dns_rdata_t *rdata = NULL;
 	dns_rdatalist_t *datalist;
 	dns_rdataset_t *dataset;
 	isc_region_t r;
@@ -555,13 +555,12 @@ dns_tsig_sign(dns_message_t *msg) {
 		tsig.signature = NULL;
 	}
 
-	rdata = NULL;
 	ret = dns_message_gettemprdata(msg, &rdata);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_rdata;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
@@ -577,7 +576,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
+		goto cleanup_rdata;
 	dns_name_init(owner, NULL);
 	ret = dns_name_dup(&key->name, msg->mctx, owner);
 	if (ret != ISC_R_SUCCESS)
@@ -587,16 +586,16 @@ dns_tsig_sign(dns_message_t *msg) {
 	ret = dns_message_gettemprdatalist(msg, &datalist);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_owner;
+	dataset = NULL;
+	ret = dns_message_gettemprdataset(msg, &dataset);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_rdatalist;
 	datalist->rdclass = dns_rdataclass_any;
 	datalist->type = dns_rdatatype_tsig;
 	datalist->covers = 0;
 	datalist->ttl = 0;
 	ISC_LIST_INIT(datalist->rdata);
 	ISC_LIST_APPEND(datalist->rdata, rdata, link);
-	dataset = NULL;
-	ret = dns_message_gettemprdataset(msg, &dataset);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
 	dns_rdataset_init(dataset);
 	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
 		      == ISC_R_SUCCESS);
@@ -605,16 +604,19 @@ dns_tsig_sign(dns_message_t *msg) {
 
 	return (ISC_R_SUCCESS);
 
-cleanup_owner:
-	if (owner != NULL)
-		dns_message_puttempname(msg, &owner);
-cleanup_dynbuf:
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-cleanup_signature:
+ cleanup_rdatalist:
+	dns_message_puttemprdatalist(msg, &datalist);
+ cleanup_owner:
+	dns_message_puttempname(msg, &owner);
+	goto cleanup_rdata;
+ cleanup_dynbuf:
+	isc_buffer_free(&dynbuf);
+ cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
+ cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, sigsize);
-cleanup_context:
+ cleanup_context:
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 	return (ret);
@@ -646,8 +648,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->verify_attempted = 1;
 
-	if (msg->tcp_continuation)
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
 		return (tsig_verify_tcp(source, msg));
+	}
 
 	/*
 	 * There should be a TSIG record...
diff --git a/contrib/bind-9.3/lib/dns/validator.c b/contrib/bind-9.3/lib/dns/validator.c
index a62db34137..571ad791e7 100644
--- a/contrib/bind-9.3/lib/dns/validator.c
+++ b/contrib/bind-9.3/lib/dns/validator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.91.2.5.8.21 2005/11/02 02:07:47 marka Exp $ */
+/* $Id: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */
 
 #include <config.h>
 
@@ -43,20 +43,65 @@
 #include <dns/validator.h>
 #include <dns/view.h>
 
+/*! \file
+ * \brief
+ * Basic processing sequences.
+ *
+ * \li When called with rdataset and sigrdataset:
+ * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> validate -> proveunsecure
+ *
+ * validator_start -> validate -> nsecvalidate	(secure wildcard answer)
+ * 
+ * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
+ * validator_start -> startfinddlvsep -> dlv_validator_start ->
+ *	validator_start -> validate -> proveunsecure
+ *
+ * \li When called with rdataset:
+ * validator_start -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> proveunsecure
+ *
+ * \li When called with rdataset and with DNS_VALIDATOR_DLV:
+ * validator_start -> startfinddlvsep -> dlv_validator_start ->
+ *	validator_start -> proveunsecure
+ *
+ * \li When called without a rdataset:
+ * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
+ *
+ * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
+ * validator_start -> startfinddlvsep -> dlv_validator_start ->
+ *	validator_start -> nsecvalidate -> proveunsecure
+ *
+ * validator_start: determines what type of validation to do.
+ * validate: attempts to perform a positive validation.
+ * proveunsecure: attempts to prove the answer comes from a unsecure zone.
+ * nsecvalidate: attempts to prove a negative response.
+ * startfinddlvsep: starts the DLV record lookup.
+ * dlv_validator_start: resets state and restarts the lookup using the
+ *	DLV RRset found by startfinddlvsep.
+ */
+
 #define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
 #define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
 
-#define VALATTR_SHUTDOWN		0x0001
-#define VALATTR_FOUNDNONEXISTENCE	0x0002
-#define VALATTR_TRIEDVERIFY		0x0004
-#define VALATTR_NEGATIVE		0x0008
-#define VALATTR_INSECURITY		0x0010
-#define VALATTR_DLVTRIED		0x0020
+#define VALATTR_SHUTDOWN		0x0001	/*%< Shutting down. */
+#define VALATTR_TRIEDVERIFY		0x0004  /*%< We have found a key and
+						 * have attempted a verify. */
+#define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
+#define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
+#define VALATTR_AUTHNONPENDING		0x0040	/*%< Tidy up pending auth. */
 
+/*!
+ * NSEC proofs to be looked for.
+ */
 #define VALATTR_NEEDNOQNAME		0x0100
 #define VALATTR_NEEDNOWILDCARD		0x0200
 #define VALATTR_NEEDNODATA		0x0400
 
+/*!
+ * NSEC proofs that have been found.
+ */
 #define VALATTR_FOUNDNOQNAME		0x1000
 #define VALATTR_FOUNDNOWILDCARD		0x2000
 #define VALATTR_FOUNDNODATA		0x4000
@@ -104,19 +149,35 @@ validator_logcreate(dns_validator_t *val,
 static isc_result_t
 dlv_validatezonekey(dns_validator_t *val);
 
-static isc_result_t
+static void
 dlv_validator_start(dns_validator_t *val);
 
 static isc_result_t
 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
 
+static void
+auth_nonpending(dns_message_t *message);
+
+static isc_result_t
+startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
+
+/*%
+ * Mark the RRsets as a answer.
+ *
+ * If VALATTR_AUTHNONPENDING is set then this is a negative answer
+ * in a insecure zone.  We need to mark any pending RRsets as
+ * dns_trust_authauthority answers (this is deferred from resolver.c).
+ */
 static inline void
 markanswer(dns_validator_t *val) {
 	validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
-	if (val->event->rdataset)
+	if (val->event->rdataset != NULL)
 		val->event->rdataset->trust = dns_trust_answer;
-	if (val->event->sigrdataset)
+	if (val->event->sigrdataset != NULL)
 		val->event->sigrdataset->trust = dns_trust_answer;
+	if (val->event->message != NULL &&
+	    (val->attributes & VALATTR_AUTHNONPENDING) != 0)
+		auth_nonpending(val->event->message);
 }
 
 static void
@@ -155,6 +216,9 @@ exit_check(dns_validator_t *val) {
 	return (ISC_TRUE);
 }
 
+/*%
+ * Mark pending answers in the authority section as dns_trust_authauthority.
+ */
 static void
 auth_nonpending(dns_message_t *message) {
 	isc_result_t result;
@@ -177,6 +241,10 @@ auth_nonpending(dns_message_t *message) {
 	}
 }
 
+/*%
+ * Look in the NSEC record returned from a DS query to see if there is
+ * a NS RRset at this name.  If it is found we are at a delegation point.
+ */
 static isc_boolean_t
 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 	     isc_result_t dbresult)
@@ -210,6 +278,11 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 	return (found);
 }
 
+/*%
+ * We have been asked to to look for a key.
+ * If found resume the validation process.
+ * If not found fail the validation process.
+ */
 static void
 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
@@ -269,6 +342,11 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
+/*%
+ * We were asked to look for a DS record as part of following a key chain
+ * upwards.  If found resume the validation process.  If not found fail the
+ * validation process.
+ */
 static void
 dsfetched(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
@@ -330,8 +408,16 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
-/*
- * XXX there's too much duplicated code here.
+/*%
+ * We were asked to look for the DS record as part of proving that a
+ * name is unsecure.
+ *
+ * If the DS record doesn't exist and the query name corresponds to
+ * a delegation point we are transitioning from a secure zone to a
+ * unsecure zone.
+ *
+ * If the DS record exists it will be secure.  We can continue looking
+ * for the break point in the chain of trust.
  */
 static void
 dsfetched2(isc_task_t *task, isc_event_t *event) {
@@ -359,7 +445,8 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
 
 	INSIST(val->event != NULL);
 
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2");
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
+		      dns_result_totext(eresult));
 	LOCK(&val->lock);
 	if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
 		/*
@@ -371,9 +458,13 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
 				validator_log(val, ISC_LOG_WARNING,
 					      "must be secure failure");
 				validator_done(val, DNS_R_MUSTBESECURE);
-			} else {
+			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
 				markanswer(val);
 				validator_done(val, ISC_R_SUCCESS);
+			} else {
+				result = startfinddlvsep(val, tname);
+				if (result != DNS_R_WAIT)
+					validator_done(val, result);
 			}
 		} else {
 			result = proveunsecure(val, ISC_TRUE);
@@ -385,7 +476,9 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
 		   eresult == DNS_R_NCACHENXDOMAIN)
 	{
 		/*
-		 * Either there is a DS or this is not a zone cut.  Continue.
+		 * There is a DS which may or may not be a zone cut. 
+		 * In either case we are still in a secure zone resume
+		 * validation.
 		 */
 		result = proveunsecure(val, ISC_TRUE);
 		if (result != DNS_R_WAIT)
@@ -403,6 +496,11 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
+/*%
+ * Callback from when a DNSKEY RRset has been validated.
+ *
+ * Resumes the stalled validation process.
+ */
 static void
 keyvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
@@ -448,6 +546,11 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
+/*%
+ * Callback when the DS record has been validated.
+ *
+ * Resumes validation of the zone key or the unsecure zone proof.
+ */
 static void
 dsvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
@@ -491,10 +594,12 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
-/*
+/*%
  * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
  * or we can determine whether there is data or not at the name.
  * If the name does not exist return the wildcard name.
+ *
+ * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
  */
 static isc_result_t
 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
@@ -627,7 +732,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 					       wild, NULL);
 		if (result != ISC_R_SUCCESS) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				    "failure generating wilcard name");
+				    "failure generating wildcard name");
 			return (result);
 		}
 	}
@@ -637,6 +742,13 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Callback for when NSEC records have been validated.
+ *
+ * Looks for NOQNAME and NODATA proofs.
+ *
+ * Resumes nsecvalidate.
+ */
 static void
 authvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
@@ -715,44 +827,20 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
-static void
-negauthvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof found");
-		auth_nonpending(val->event->message);
-		validator_done(val, ISC_R_SUCCESS);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "negauthvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, eresult);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
+/*%
+ * Looks for the requested name and type in the view (zones and cache).
+ *
+ * When looking for a DLV record also checks to make sure the NSEC record
+ * returns covers the query name as part of aggressive negative caching.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOTFOUND
+ * \li	DNS_R_NCACHENXDOMAIN
+ * \li	DNS_R_NCACHENXRRSET
+ * \li	DNS_R_NXRRSET
+ * \li	DNS_R_NXDOMAIN
+ */
 static inline isc_result_t
 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 	dns_fixedname_t fixedname;
@@ -855,12 +943,9 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 		dns_rdata_freestruct(&nsec);
 		result = DNS_R_NCACHENXDOMAIN;
 	} else if (result != ISC_R_SUCCESS &&
-                   result != DNS_R_GLUE &&
-                   result != DNS_R_HINT &&
                    result != DNS_R_NCACHENXDOMAIN &&
                    result != DNS_R_NCACHENXRRSET &&
                    result != DNS_R_NXRRSET &&
-                   result != DNS_R_HINTNXRRSET &&
                    result != ISC_R_NOTFOUND) {
 		goto  notfound;
 	}
@@ -874,11 +959,15 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 	return (ISC_R_NOTFOUND);
 }
 
+/*%
+ * Checks to make sure we are not going to loop.  As we use a SHARED fetch
+ * the validation process will stall if looping was to occur.
+ */
 static inline isc_boolean_t
 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 	dns_validator_t *parent;
 
-	for (parent = val->parent; parent != NULL; parent = parent->parent) {
+	for (parent = val; parent != NULL; parent = parent->parent) {
 		if (parent->event != NULL &&
 		    parent->event->type == type &&
 		    dns_name_equal(parent->event->name, name))
@@ -892,6 +981,9 @@ check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 	return (ISC_FALSE);
 }
 
+/*%
+ * Start a fetch for the requested name and type.
+ */
 static inline isc_result_t
 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	     isc_taskaction_t callback, const char *caller)
@@ -914,6 +1006,9 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 					 &val->fetch));
 }
 
+/*%
+ * Start a subvalidation process.
+ */
 static inline isc_result_t
 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
@@ -936,7 +1031,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	return (result);
 }
 
-/*
+/*%
  * Try to find a key that could have signed 'siginfo' among those
  * in 'rdataset'.  If found, build a dst_key_t for it and point
  * val->key at it.
@@ -1004,6 +1099,9 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 	return (result);
 }
 
+/*%
+ * Get the key that genertated this signature.
+ */
 static isc_result_t
 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 	isc_result_t result;
@@ -1130,7 +1228,7 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
 	return (dst_region_computeid(&r, key->algorithm));
 }
 
-/*
+/*%
  * Is this keyset self-signed?
  */
 static isc_boolean_t
@@ -1172,8 +1270,19 @@ isselfsigned(dns_validator_t *val) {
 	return (ISC_FALSE);
 }
 
+/*%
+ * Attempt to verify the rdataset using the given key and rdata (RRSIG).
+ * The signature was good and from a wildcard record and the QNAME does
+ * not match the wildcard we need to look for a NOQNAME proof.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS if the verification succeeds.
+ * \li	Others if the verification fails.
+ */
 static isc_result_t
-verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
+verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
+       isc_uint16_t keyid)
+{
 	isc_result_t result;
 	dns_fixedname_t fixed;
 
@@ -1183,8 +1292,8 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
 				    key, ISC_FALSE, val->view->mctx, rdata,
 				    dns_fixedname_name(&fixed));
 	validator_log(val, ISC_LOG_DEBUG(3),
-		      "verify rdataset: %s",
-		      isc_result_totext(result));
+		      "verify rdataset (keyid=%u): %s",
+		      keyid, isc_result_totext(result));
 	if (result == DNS_R_FROMWILDCARD) {
 		if (!dns_name_equal(val->event->name,
 				    dns_fixedname_name(&fixed)))
@@ -1194,14 +1303,14 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
 	return (result);
 }
 
-/*
+/*%
  * Attempts positive response validation of a normal RRset.
  *
  * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
  *			for an event.
- *	Other return codes are possible and all indicate failure.
+ * \li	Other return codes are possible and all indicate failure.
  */
 static isc_result_t
 validate(dns_validator_t *val, isc_boolean_t resume) {
@@ -1272,7 +1381,8 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		}
 
 		do {
-			result = verify(val, val->key, &rdata);
+			result = verify(val, val->key, &rdata,
+					val->siginfo->keyid);
 			if (result == ISC_R_SUCCESS)
 				break;
 			if (val->keynode != NULL) {
@@ -1356,6 +1466,10 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 	return (DNS_R_NOVALIDSIG);
 }
 
+/*%
+ * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
+ * DLV record and that also verifies the DNSKEY RRset.
+ */
 static isc_result_t
 dlv_validatezonekey(dns_validator_t *val) {
 	dns_keytag_t keytag;
@@ -1373,12 +1487,12 @@ dlv_validatezonekey(dns_validator_t *val) {
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 
 	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
+
 	/*
 	 * Look through the DLV record and find the keys that can sign the
 	 * key set and the matching signature.  For each such key, attempt
 	 * verification.
 	 */
-
 	supported_algorithm = ISC_FALSE;
 
 	for (result = dns_rdataset_first(&val->dlv);
@@ -1456,7 +1570,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 				 */
 				continue;
 
-			result = verify(val, dstkey, &sigrdata);
+			result = verify(val, dstkey, &sigrdata, sig.keyid);
 			dst_key_free(&dstkey);
 			if (result == ISC_R_SUCCESS)
 				break;
@@ -1486,14 +1600,14 @@ dlv_validatezonekey(dns_validator_t *val) {
 		return (DNS_R_NOVALIDSIG);
 }
 
-/*
+/*%
  * Attempts positive response validation of an RRset containing zone keys.
  *
  * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
  *			for an event.
- *	Other return codes are possible and all indicate failure.
+ * \li	Other return codes are possible and all indicate failure.
  */
 static isc_result_t
 validatezonekey(dns_validator_t *val) {
@@ -1505,12 +1619,14 @@ validatezonekey(dns_validator_t *val) {
 	dns_rdata_t keyrdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
 	dns_keytag_t keytag;
 	dns_rdata_ds_t ds;
 	dns_rdata_dnskey_t key;
 	dns_rdata_rrsig_t sig;
 	dst_key_t *dstkey;
 	isc_boolean_t supported_algorithm;
+	isc_boolean_t atsep = ISC_FALSE;
 
 	/*
 	 * Caller must be holding the validator lock.
@@ -1541,9 +1657,13 @@ validatezonekey(dns_validator_t *val) {
 							  sig.algorithm,
 							  sig.keyid,
 							  &keynode);
+			if (result == DNS_R_PARTIALMATCH ||
+			    result == ISC_R_SUCCESS)
+				atsep = ISC_TRUE;
 			while (result == ISC_R_SUCCESS) {
 				dstkey = dns_keynode_key(keynode);
-				result = verify(val, dstkey, &sigrdata);
+				result = verify(val, dstkey, &sigrdata,
+						sig.keyid);
 				if (result == ISC_R_SUCCESS) {
 					dns_keytable_detachkeynode(val->keytable,
 								   &keynode);
@@ -1578,6 +1698,22 @@ validatezonekey(dns_validator_t *val) {
 				return (DNS_R_NOVALIDDS);
 		}
 
+		if (atsep) {
+			/*
+			 * We have not found a key to verify this DNSKEY
+			 * RRset.  As this is a SEP we have to assume that
+			 * the RRset is invalid.
+			 */
+			dns_name_format(val->event->name, namebuf,
+				        sizeof(namebuf));
+			validator_log(val, ISC_LOG_DEBUG(2),
+				      "unable to find a DNSKEY which verifies "
+				      "the DNSKEY RRset and also matches one "
+				      "of specified trusted-keys for '%s'",
+				      namebuf);
+			return (DNS_R_NOVALIDKEY);
+		}
+
 		/*
 		 * Otherwise, try to find the DS record.
 		 */
@@ -1680,6 +1816,9 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_init(&trdataset);
 		dns_rdataset_clone(val->event->rdataset, &trdataset);
 
+		/*
+		 * Look for the KEY that matches the DS record.
+		 */
 		for (result = dns_rdataset_first(&trdataset);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&trdataset))
@@ -1714,7 +1853,7 @@ validatezonekey(dns_validator_t *val) {
 			dns_rdataset_current(val->event->sigrdataset,
 					     &sigrdata);
 			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			if (ds.key_tag != sig.keyid &&
+			if (ds.key_tag != sig.keyid ||
 			    ds.algorithm != sig.algorithm)
 				continue;
 
@@ -1728,8 +1867,7 @@ validatezonekey(dns_validator_t *val) {
 				 * This really shouldn't happen, but...
 				 */
 				continue;
-
-			result = verify(val, dstkey, &sigrdata);
+			result = verify(val, dstkey, &sigrdata, sig.keyid);
 			dst_key_free(&dstkey);
 			if (result == ISC_R_SUCCESS)
 				break;
@@ -1759,14 +1897,14 @@ validatezonekey(dns_validator_t *val) {
 		return (DNS_R_NOVALIDSIG);
 }
 
-/*
+/*%
  * Starts a positive response validation.
  *
  * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
  *			for an event.
- *	Other return codes are possible and all indicate failure.
+ * \li	Other return codes are possible and all indicate failure.
  */
 static isc_result_t
 start_positive_validation(dns_validator_t *val) {
@@ -1779,6 +1917,14 @@ start_positive_validation(dns_validator_t *val) {
 	return (validatezonekey(val));
 }
 
+/*%
+ * Look for NODATA at the wildcard and NOWILDCARD proofs in the
+ * previously validated NSEC records.  As these proofs are mutually
+ * exclusive we stop when one is found.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS 
+ */
 static isc_result_t
 checkwildcard(dns_validator_t *val) {
 	dns_name_t *name, *wild;
@@ -1851,6 +1997,18 @@ checkwildcard(dns_validator_t *val) {
 	return (result);
 }
 
+/*%
+ * Prove a negative answer is good or that there is a NOQNAME when the
+ * answer is from a wildcard.
+ *
+ * Loop through the authority section looking for NODATA, NOWILDCARD
+ * and NOQNAME proofs in the NSEC records by calling authvalidated().
+ *
+ * If the required proofs are found we are done.
+ *
+ * If the proofs are not found attempt to prove this is a unsecure
+ * response.
+ */
 static isc_result_t
 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	dns_name_t *name;
@@ -1946,7 +2104,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 		return (result);
 
 	/*
-	 * Do we only need to check for NOQNAME?
+	 * Do we only need to check for NOQNAME?  To get here we must have
+	 * had a secure wildcard answer.
 	 */
 	if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
 	    (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
@@ -1982,28 +2141,17 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	    ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
 	     (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
 	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0))
-		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
-
-	if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
-		if (!val->seensig && val->soaset != NULL) {
-			result = create_validator(val, val->soaname,
-						  dns_rdatatype_soa,
-						  val->soaset, NULL,
-						  negauthvalidated,
-						  "nsecvalidate");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof not found");
-		return (DNS_R_NOVALIDNSEC);
-	} else {
+	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof found");
+			      "nonexistence proof(s) found");
 		return (ISC_R_SUCCESS);
 	}
+
+	validator_log(val, ISC_LOG_DEBUG(3),
+		      "nonexistence proof(s) not found");
+	val->attributes |= VALATTR_AUTHNONPENDING;
+	val->attributes |= VALATTR_INSECURITY;
+	return (proveunsecure(val, ISC_FALSE));
 }
 
 static isc_boolean_t
@@ -2029,6 +2177,11 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
 	return (ISC_FALSE);
 }
 
+/*%
+ * Callback from fetching a DLV record.
+ * 
+ * Resumes the DLV lookup process.
+ */
 static void
 dlvfetched(isc_task_t *task, isc_event_t *event) {
 	char namebuf[DNS_NAME_FORMATSIZE];
@@ -2065,9 +2218,7 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
 		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-		result = dlv_validator_start(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
+		dlv_validator_start(val);
 	} else if (eresult == DNS_R_NXRRSET ||
 		   eresult == DNS_R_NXDOMAIN ||
 		   eresult == DNS_R_NCACHENXRRSET ||
@@ -2078,9 +2229,7 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 					namebuf, sizeof(namebuf));
 			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
 				      namebuf);
-			result = dlv_validator_start(val);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
+			dlv_validator_start(val);
 		} else if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 			markanswer(val);
@@ -2094,6 +2243,7 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
 			      dns_result_totext(eresult));
+		validator_done(val, eresult);
 	}
 	want_destroy = exit_check(val);
 	UNLOCK(&val->lock);
@@ -2101,6 +2251,14 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 		destroy(val);
 }
 
+/*%
+ * Start the DLV lookup proccess.
+ * 
+ * Returns
+ * \li	ISC_R_SUCCESS
+ * \li	DNS_R_WAIT
+ * \li	Others on validation failures.
+ */
 static isc_result_t
 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 	char namebuf[DNS_NAME_FORMATSIZE];
@@ -2135,9 +2293,19 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 			sizeof(namebuf));
 	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-	return (dlv_validator_start(val));
+	dlv_validator_start(val);
+	return (DNS_R_WAIT);
 }
 
+/*%
+ * Continue the DLV lookup process.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOTFOUND
+ * \li	DNS_R_WAIT
+ * \li	Others on validation failure.
+ */
 static isc_result_t
 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 	char namebuf[DNS_NAME_FORMATSIZE];
@@ -2147,7 +2315,7 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 	dns_name_t noroot;
 	isc_result_t result;
 	unsigned int labels;
-		
+
 	INSIST(val->view->dlv != NULL);
 
 	if (!resume) {
@@ -2231,11 +2399,24 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 	return (ISC_R_NOTFOUND);
 }
 
-/*
+/*%
  * proveunsecure walks down from the SEP looking for a break in the
- * chain of trust.   That occurs when we can prove the DS record does
+ * chain of trust.  That occurs when we can prove the DS record does
  * not exist at a delegation point or the DS exists at a delegation
  * but we don't support the algorithm/digest.
+ *
+ * If DLV is active and we look for a DLV record at or below the
+ * point we go insecure.  If found we restart the validation process.
+ * If not found or DLV isn't active we mark the response as a answer.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS		val->event->name is in a unsecure zone
+ * \li	DNS_R_WAIT		validation is in progress.
+ * \li	DNS_R_MUSTBESECURE	val->event->name is supposed to be secure
+ *				(policy) but we proved that it is unsecure.
+ * \li	DNS_R_NOVALIDSIG
+ * \li	DNS_R_NOVALIDNSEC
+ * \li	DNS_R_NOTINSECURE
  */
 static isc_result_t
 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
@@ -2253,7 +2434,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 		result = dns_keytable_finddeepestmatch(val->keytable,
 						       val->event->name,
 						       secroot);
-
+	
 		if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "not beneath secure root");
@@ -2395,8 +2576,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 				goto out;
 			return (DNS_R_WAIT);
 		} else if (result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NCACHENXDOMAIN)
-		{
+			   result == DNS_R_NCACHENXDOMAIN) {
 			/*
 			 * This is not a zone cut.  Assuming things are
 			 * as expected, continue.
@@ -2441,7 +2621,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	return (result);
 }
 
-static isc_result_t
+/*%
+ * Reset state and revalidate the answer using DLV.
+ */
+static void
 dlv_validator_start(dns_validator_t *val) {
 	isc_event_t *event;
 
@@ -2455,9 +2638,20 @@ dlv_validator_start(dns_validator_t *val) {
 
 	event = (isc_event_t *)val->event;
 	isc_task_send(val->task, &event);
-	return (DNS_R_WAIT);
 }
 
+/*%
+ * Start the validation process.
+ *
+ * Attempt to valididate the answer based on the category it appears to
+ * fall in.
+ * \li	1. secure positive answer.
+ * \li	2. unsecure positive answer.
+ * \li	3. a negative answer (secure or unsecure).
+ *
+ * Note a answer that appears to be a secure positive answer may actually
+ * be a unsecure positive answer.
+ */
 static void
 validator_start(isc_task_t *task, isc_event_t *event) {
 	dns_validator_t *val;
@@ -2529,7 +2723,6 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "attempting negative response validation");
 
-		val->attributes |= VALATTR_NEGATIVE;
 		if (val->event->message->rcode == dns_rcode_nxdomain) {
 			val->attributes |= VALATTR_NEEDNOQNAME;
 			val->attributes |= VALATTR_NEEDNOWILDCARD;
@@ -2632,7 +2825,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	ISC_LINK_INIT(val, link);
 	val->magic = VALIDATOR_MAGIC;
 
-	isc_task_send(task, ISC_EVENT_PTR(&event));
+	if ((options & DNS_VALIDATOR_DEFER) == 0)
+		isc_task_send(task, ISC_EVENT_PTR(&event));
 
 	*validatorp = val;
 
@@ -2640,7 +2834,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 
  cleanup_event:
 	isc_task_detach(&tclone);
-	isc_event_free((isc_event_t **)&val->event);
+	isc_event_free(ISC_EVENT_PTR(&event));
 
  cleanup_val:
 	dns_view_weakdetach(&val->view);
@@ -2649,6 +2843,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	return (result);
 }
 
+void
+dns_validator_send(dns_validator_t *validator) {
+	isc_event_t *event;
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+	event = (isc_event_t *)validator->event;
+	validator->options &= ~DNS_VALIDATOR_DEFER;
+	UNLOCK(&validator->lock);
+
+	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
+}
+
 void
 dns_validator_cancel(dns_validator_t *validator) {
 	REQUIRE(VALID_VALIDATOR(validator));
@@ -2663,6 +2872,12 @@ dns_validator_cancel(dns_validator_t *validator) {
 
 		if (validator->subvalidator != NULL)
 			dns_validator_cancel(validator->subvalidator);
+		if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+			isc_task_t *task = validator->event->ev_sender;
+			validator->options &= ~DNS_VALIDATOR_DEFER;
+			isc_event_free((isc_event_t **)&validator->event);
+			isc_task_detach(&task);
+		}
 	}
 	UNLOCK(&validator->lock);
 }
diff --git a/contrib/bind-9.3/lib/dns/xfrin.c b/contrib/bind-9.3/lib/dns/xfrin.c
index 8a824a73ef..fdeed14bd6 100644
--- a/contrib/bind-9.3/lib/dns/xfrin.c
+++ b/contrib/bind-9.3/lib/dns/xfrin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.124.2.4.2.12 2005/11/03 23:08:41 marka Exp $ */
+/* $Id: xfrin.c,v 1.124.2.4.2.16 2006/07/19 01:04:24 marka Exp $ */
 
 #include <config.h>
 
@@ -73,6 +73,8 @@
  * when the first two (2) response RRs have already been received.
  */
 typedef enum {
+	XFRST_SOAQUERY,
+	XFRST_GOTSOA,
 	XFRST_INITIALSOA,
 	XFRST_FIRSTDATA,
 	XFRST_IXFR_DELSOA,
@@ -424,6 +426,30 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 
  redo:
 	switch (xfr->state) {
+	case XFRST_SOAQUERY:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "non-SOA response to SOA query");
+			FAIL(DNS_R_FORMERR);
+		}
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) &&
+		    !dns_zone_isforced(xfr->zone)) {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		xfr->state = XFRST_GOTSOA;
+		break;
+
+	case XFRST_GOTSOA:
+		/*
+		 * Skip other records in the answer section.
+		 */
+		break;
+
 	case XFRST_INITIALSOA:
 		if (rdata->type != dns_rdatatype_soa) {
 			xfrin_log(xfr, ISC_LOG_ERROR,
@@ -589,6 +615,9 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 
 	(void)dns_zone_getdb(zone, &db);
 
+	if (xfrtype == dns_rdatatype_soa || xfrtype == dns_rdatatype_ixfr)
+		REQUIRE(db != NULL);
+
 	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
 			   dns_zone_getclass(zone), xfrtype, masteraddr,
 			   sourceaddr, tsigkey, &xfr));
@@ -754,7 +783,10 @@ xfrin_create(isc_mem_t *mctx,
 	dns_diff_init(xfr->mctx, &xfr->diff);
 	xfr->difflen = 0;
 
-	xfr->state = XFRST_INITIALSOA;
+	if (reqtype == dns_rdatatype_soa)
+		xfr->state = XFRST_SOAQUERY;
+	else
+		xfr->state = XFRST_INITIALSOA;
 	/* end_serial */
 
 	xfr->nmsg = 0;
@@ -797,7 +829,18 @@ xfrin_create(isc_mem_t *mctx,
 	return (ISC_R_SUCCESS);
 
  failure:
-	xfrin_fail(xfr, result, "failed creating transfer context");
+	if (xfr->timer != NULL)
+		isc_timer_detach(&xfr->timer);
+	if (dns_name_dynamic(&xfr->name))
+		dns_name_free(&xfr->name, xfr->mctx);
+	if (xfr->tsigkey != NULL)
+		dns_tsigkey_detach(&xfr->tsigkey);
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+	isc_task_detach(&xfr->task);
+	dns_zone_idetach(&xfr->zone);
+	isc_mem_put(mctx, xfr, sizeof(*xfr));
+
 	return (result);
 }
 
@@ -808,7 +851,9 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 				isc_sockaddr_pf(&xfr->sourceaddr),
 				isc_sockettype_tcp,
 				&xfr->socket));
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr));
+#endif
 	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
 				 xfrin_connect_done, xfr));
 	xfr->connects++;
@@ -987,7 +1032,9 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 
 		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
 		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
-	}
+	} else if (xfr->reqtype == dns_rdatatype_soa)
+		CHECK(dns_db_getsoaserial(xfr->db, NULL,
+					  &xfr->ixfr.request_serial));
 
 	xfr->checkid = ISC_TRUE;
 	xfr->id++;
@@ -1148,8 +1195,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
  try_axfr:
 		dns_message_destroy(&msg);
 		xfrin_reset(xfr);
-		xfr->reqtype = dns_rdatatype_axfr;
-		xfr->state = XFRST_INITIALSOA;
+		xfr->reqtype = dns_rdatatype_soa;
+		xfr->state = XFRST_SOAQUERY;
 		(void)xfrin_start(xfr);
 		return;
 	}
@@ -1246,7 +1293,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	dns_message_destroy(&msg);
 
-	if (xfr->state == XFRST_END) {
+	if (xfr->state == XFRST_GOTSOA) {
+		xfr->reqtype = dns_rdatatype_axfr;
+		xfr->state = XFRST_INITIALSOA;
+		CHECK(xfrin_send_request(xfr));
+	} else if (xfr->state == XFRST_END) {
 		/*
 		 * Inform the caller we succeeded.
 		 */
diff --git a/contrib/bind-9.3/lib/dns/zone.c b/contrib/bind-9.3/lib/dns/zone.c
index a993877e91..d2a47b072b 100644
--- a/contrib/bind-9.3/lib/dns/zone.c
+++ b/contrib/bind-9.3/lib/dns/zone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.333.2.23.2.59 2005/07/29 00:38:33 marka Exp $ */
+/* $Id: zone.c,v 1.333.2.23.2.65 2006/07/19 01:04:24 marka Exp $ */
 
 #include <config.h>
 
@@ -264,6 +264,7 @@ struct dns_zone {
 #define DNS_ZONEFLG_FLUSH	0x00200000U
 #define DNS_ZONEFLG_NOEDNS	0x00400000U
 #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
+#define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U
 
 #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
 
@@ -772,12 +773,10 @@ dns_zone_setdbtype(dns_zone_t *zone,
 
  nomem:
 	if (new != NULL) {
-		for (i = 0; i < dbargc; i++) {
-			if (zone->db_argv[i] != NULL)
+		for (i = 0; i < dbargc; i++)
+			if (new[i] != NULL)
 				isc_mem_free(zone->mctx, new[i]);
-			isc_mem_put(zone->mctx, new,
-				    dbargc * sizeof(*new));
-		}
+		isc_mem_put(zone->mctx, new, dbargc * sizeof(*new));
 	}
 	result = ISC_R_NOMEMORY;
 
@@ -807,7 +806,7 @@ dns_zone_getview(dns_zone_t *zone) {
 
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -998,7 +997,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 			result = isc_file_getmodtime(zone->masterfile,
 						     &filetime);
 			if (result == ISC_R_SUCCESS &&
-			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
+			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "skipping load: master file older "
 					     "than last load");
@@ -1010,6 +1009,16 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 
 	INSIST(zone->db_argc >= 1);
 
+	/*
+	 * Built in zones don't need to be reloaded.
+	 */
+	if (zone->type == dns_zone_master &&
+	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
 	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
 	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
 	     strcmp(zone->db_argv[0], "rbt64") == 0)) {
@@ -1210,10 +1219,12 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 				       zone_gotreadhandle, load,
 				       &zone->readio);
 		if (result != ISC_R_SUCCESS) {
-			tresult = dns_db_endload(load->db,
-						 &load->callbacks.add_private);
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
+			/*
+			 * We can't report multiple errors so ignore
+			 * the result of dns_db_endload().
+			 */
+			(void)dns_db_endload(load->db,
+					     &load->callbacks.add_private);
 			goto cleanup;
 		} else
 			result = DNS_R_CONTINUE;
@@ -1284,14 +1295,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	dns_zone_log(zone, ISC_LOG_DEBUG(2),
 		     "number of nodes in database: %u",
 		     dns_db_nodecount(db));
-	zone->loadtime = loadtime;
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
 
 	if (result == DNS_R_SEENINCLUDE)
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
 	else
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+
 	/*
 	 * Apply update log, if any, on initial load.
 	 */
@@ -1323,6 +1332,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			needdump = ISC_TRUE;
 	}
 
+	zone->loadtime = loadtime;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
+
 	/*
 	 * Obtain ns and soa counts for top of zone.
 	 */
@@ -1821,7 +1834,7 @@ dns_zone_getoptions(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1838,7 +1851,7 @@ dns_zone_getxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1855,7 +1868,9 @@ dns_zone_getxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1872,7 +1887,9 @@ dns_zone_getaltxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1889,7 +1906,7 @@ dns_zone_getaltxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1906,7 +1923,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1923,7 +1940,7 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
@@ -1953,7 +1970,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
 }
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count)
 {
 	isc_result_t result;
@@ -1963,8 +1980,10 @@ dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
 }
 
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count)
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -2274,6 +2293,7 @@ dns_zone_refresh(dns_zone_t *zone) {
 	isc_interval_t i;
 	isc_uint32_t oldflags;
 	unsigned int j;
+	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -2307,7 +2327,11 @@ dns_zone_refresh(dns_zone_t *zone) {
 	 */
 	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
 			 0);
-	isc_time_nowplusinterval(&zone->refreshtime, &i);
+	result = isc_time_nowplusinterval(&zone->refreshtime, &i);
+	if (result |= ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "isc_time_nowplusinterval() failed: %s",
+			     dns_result_totext(result));
 
 	/*
 	 * When lacking user-specified timer values from the SOA,
@@ -3535,8 +3559,13 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 				     "master %s exceeded (source %s)",
 				     master, source);
 			/* Try with slave with TCP. */
-			if (zone->type == dns_zone_slave)
+			if (zone->type == dns_zone_slave) {
+				LOCK_ZONE(zone);
+				DNS_ZONE_SETFLAG(zone,
+						 DNS_ZONEFLG_SOABEFOREAXFR);
+				UNLOCK_ZONE(zone);
 				goto tcp_transfer;
+			}
 		} else
 			dns_zone_log(zone, ISC_LOG_INFO,
 				     "refresh: failure trying master "
@@ -3603,6 +3632,9 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 				     "initiating TCP zone xfer "
 				     "for master %s (source %s)",
 				     master, source);
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+			UNLOCK_ZONE(zone);
 			goto tcp_transfer;
 		} else {
 			INSIST(zone->type == dns_zone_stub);
@@ -5515,6 +5547,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	LOCK_ZONE(zone);
 	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
 
 	TIME_NOW(&now);
 	switch (result) {
@@ -5868,7 +5901,10 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 				     "IXFR disabled, "
 				     "requesting AXFR from %s",
 				     mastertext);
-			xfrtype = dns_rdatatype_axfr;
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
+				xfrtype = dns_rdatatype_soa;
+			else
+				xfrtype = dns_rdatatype_axfr;
 		} else {
 			dns_zone_log(zone, ISC_LOG_DEBUG(1),
 				     "requesting IXFR from %s",
diff --git a/contrib/bind-9.3/lib/isc/api b/contrib/bind-9.3/lib/isc/api
index ddeff334f0..b4d017358a 100644
--- a/contrib/bind-9.3/lib/isc/api
+++ b/contrib/bind-9.3/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 11
+LIBINTERFACE = 12
 LIBREVISION = 1
-LIBAGE = 0
+LIBAGE = 1
diff --git a/contrib/bind-9.3/lib/isc/hash.c b/contrib/bind-9.3/lib/isc/hash.c
index 22f370064a..1094206663 100644
--- a/contrib/bind-9.3/lib/isc/hash.c
+++ b/contrib/bind-9.3/lib/isc/hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.2.2.4.2.1 2004/03/06 08:14:29 marka Exp $ */
+/* $Id: hash.c,v 1.2.2.4.2.3 2006/01/04 00:37:22 marka Exp $ */
 
 /*
  * Some portion of this code was derived from universal hash function
@@ -68,7 +68,6 @@ if advised of the possibility of such damage.
 #include <isc/once.h>
 #include <isc/random.h>
 #include <isc/refcount.h>
-#include <isc/rwlock.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -99,7 +98,7 @@ struct isc_hash {
 	hash_random_t	*rndvector; /* random vector for universal hashing */
 };
 
-static isc_rwlock_t createlock;
+static isc_mutex_t createlock;
 static isc_once_t once = ISC_ONCE_INIT;
 static isc_hash_t *hash = NULL;
 
@@ -209,7 +208,7 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 
 static void
 initialize_lock(void) {
-	RUNTIME_CHECK(isc_rwlock_init(&createlock, 0, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -221,12 +220,12 @@ isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
 
-	RWLOCK(&createlock, isc_rwlocktype_write);
+	LOCK(&createlock);
 
 	if (hash == NULL)
 		result = isc_hash_ctxcreate(mctx, entropy, limit, &hash);
 
-	RWUNLOCK(&createlock, isc_rwlocktype_write);
+	UNLOCK(&createlock);
 
 	return (result);
 }
diff --git a/contrib/bind-9.3/lib/isc/heap.c b/contrib/bind-9.3/lib/isc/heap.c
index 78b192548a..fd67d7bd78 100644
--- a/contrib/bind-9.3/lib/isc/heap.c
+++ b/contrib/bind-9.3/lib/isc/heap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.28.12.3 2004/03/08 09:04:48 marka Exp $ */
+/* $Id: heap.c,v 1.28.12.4 2006/04/17 18:27:20 explorer Exp $ */
 
-/*
+/*! \file
  * Heap implementation of priority queues adapted from the following:
  *
- *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
+ *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
  *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
  *
- *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
  *	ISBN 0-201-06673-4, chapter 11.
  */
 
@@ -35,20 +35,23 @@
 #include <isc/string.h>		/* Required for memcpy. */
 #include <isc/util.h>
 
-/*
+/*@{*/
+/*%
  * Note: to make heap_parent and heap_left easy to compute, the first
  * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.
+ * not 0-based.  The parent is index/2, and the left-child is index*2.
+ * The right child is index*2+1.
  */
 #define heap_parent(i)			((i) >> 1)
 #define heap_left(i)			((i) << 1)
+/*@}*/
 
 #define SIZE_INCREMENT			1024
 
 #define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
 #define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
 
-/*
+/*%
  * When the heap is in a consistent state, the following invariant
  * holds true: for every element i > 1, heap_parent(i) has a priority
  * higher than or equal to that of i.
@@ -57,6 +60,7 @@
 			  ! heap->compare(heap->array[(i)], \
 					  heap->array[heap_parent(i)]))
 
+/*% ISC heap structure. */
 struct isc_heap {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
@@ -141,8 +145,8 @@ static void
 float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int p;
 
-	for (p = heap_parent(i);
-	     i > 1 && heap->compare(elt, heap->array[p]);
+	for (p = heap_parent(i) ;
+	     i > 1 && heap->compare(elt, heap->array[p]) ;
 	     i = p, p = heap_parent(i)) {
 		heap->array[i] = heap->array[p];
 		if (heap->index != NULL)
@@ -196,48 +200,48 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 }
 
 void
-isc_heap_delete(isc_heap_t *heap, unsigned int i) {
+isc_heap_delete(isc_heap_t *heap, unsigned int index) {
 	void *elt;
 	isc_boolean_t less;
 
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	if (i == heap->last) {
+	if (index == heap->last) {
 		heap->last--;
 	} else {
 		elt = heap->array[heap->last--];
-		less = heap->compare(elt, heap->array[i]);
-		heap->array[i] = elt;
+		less = heap->compare(elt, heap->array[index]);
+		heap->array[index] = elt;
 		if (less)
-			float_up(heap, i, heap->array[i]);
+			float_up(heap, index, heap->array[index]);
 		else
-			sink_down(heap, i, heap->array[i]);
+			sink_down(heap, index, heap->array[index]);
 	}
 }
 
 void
-isc_heap_increased(isc_heap_t *heap, unsigned int i) {
+isc_heap_increased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	float_up(heap, i, heap->array[i]);
+	float_up(heap, index, heap->array[index]);
 }
 
 void
-isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
+isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	sink_down(heap, i, heap->array[i]);
+	sink_down(heap, index, heap->array[index]);
 }
 
 void *
-isc_heap_element(isc_heap_t *heap, unsigned int i) {
+isc_heap_element(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	return (heap->array[i]);
+	return (heap->array[index]);
 }
 
 void
@@ -247,6 +251,6 @@ isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(action != NULL);
 
-	for (i = 1; i <= heap->last; i++)
+	for (i = 1 ; i <= heap->last ; i++)
 		(action)(heap->array[i], uap);
 }
diff --git a/contrib/bind-9.3/lib/isc/hmacmd5.c b/contrib/bind-9.3/lib/isc/hmacmd5.c
index 04dc8c5e05..5166a98cf6 100644
--- a/contrib/bind-9.3/lib/isc/hmacmd5.c
+++ b/contrib/bind-9.3/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.5.12.3 2004/03/08 09:04:48 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.5.12.5 2006/02/26 23:49:48 marka Exp $ */
 
 /*
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -65,7 +65,6 @@ void
 isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	isc_md5_invalidate(&ctx->md5ctx);
 	memset(ctx->key, 0, sizeof(ctx->key));
-	memset(ctx, 0, sizeof(ctx));
 }
 
 /*
diff --git a/contrib/bind-9.3/lib/isc/include/isc/heap.h b/contrib/bind-9.3/lib/isc/include/isc/heap.h
index 5ebf40471e..7c7f3c2916 100644
--- a/contrib/bind-9.3/lib/isc/include/isc/heap.h
+++ b/contrib/bind-9.3/lib/isc/include/isc/heap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,36 +15,155 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.16.206.1 2004/03/06 08:14:41 marka Exp $ */
+/* $Id: heap.h,v 1.16.206.2 2006/04/17 18:27:20 explorer Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * The comparision function returns ISC_TRUE if the first argument has
  * higher priority than the second argument, and ISC_FALSE otherwise.
  */
 typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
 
+/*%
+ * The index function allows the client of the heap to receive a callback
+ * when an item's index number changes.  This allows it to maintain
+ * sync with its external state, but still delete itself, since deletions
+ * from the heap require the index be provided.
+ */
 typedef void (*isc_heapindex_t)(void *, unsigned int);
+
+/*%
+ * The heapaction function is used when iterating over the heap.
+ *
+ * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
+ * isc_heap_foreach().
+ */
 typedef void (*isc_heapaction_t)(void *, void *);
 
 typedef struct isc_heap isc_heap_t;
 
-isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
-				isc_heapindex_t, unsigned int, isc_heap_t **);
-void		isc_heap_destroy(isc_heap_t **);
-isc_result_t	isc_heap_insert(isc_heap_t *, void *);
-void		isc_heap_delete(isc_heap_t *, unsigned int);
-void		isc_heap_increased(isc_heap_t *, unsigned int);
-void		isc_heap_decreased(isc_heap_t *, unsigned int);
-void *		isc_heap_element(isc_heap_t *, unsigned int);
-void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp);
+/*!<
+ * \brief Create a new heap.  The heap is implemented using a space-efficient
+ * storage method.  When the heap elements are deleted space is not freed
+ * but will be reused when new elements are inserted.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *\li	"compare" is a function which takes two void * arguments and
+ *	returns ISC_TRUE if the first argument has a higher priority than
+ *	the second, and ISC_FALSE otherwise.
+ *\li	"index" is a function which takes a void *, and an unsigned int
+ *	argument.  This function will be called whenever an element's
+ *	index value changes, so it may continue to delete itself from the
+ *	heap.  This option may be NULL if this functionality is unneeded.
+ *\li	"size_increment" is a hint about how large the heap should grow
+ *	when resizing is needed.  If this is 0, a default size will be
+ *	used, which is currently 1024, allowing space for an additional 1024
+ *	heap elements to be inserted before adding more space.
+ *\li	"heapp" is not NULL, and "*heap" is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- insufficient memory
+ */
+
+void
+isc_heap_destroy(isc_heap_t **heapp);
+/*!<
+ * \brief Destroys a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt);
+/*!<
+ * \brief Inserts a new element into a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Deletes an element from a heap, by element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has increased.
+ * This function MUST be called whenever an element has increased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has decreased.
+ * This function MUST be called whenever an element has decreased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Returns the element for a specific element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ *
+ * Returns:
+ *\li	A pointer to the element for the element index.
+ */
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
+/*!<
+ * \brief Iterate over the heap, calling an action for each element.  The
+ * order of iteration is not sorted.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"action" is not NULL, and is a function which takes two arguments.
+ *	The first is a void *, representing the element, and the second is
+ *	"uap" as provided to isc_heap_foreach.
+ *\li	"uap" is a caller-provided argument, and may be NULL.
+ *
+ * Note:
+ *\li	The heap structure CANNOT be modified during this iteration.  The only
+ *	safe function to call while iterating the heap is isc_heap_element().
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind-9.3/lib/isc/include/isc/list.h b/contrib/bind-9.3/lib/isc/include/isc/list.h
index 962336ada8..5fe82e3fe5 100644
--- a/contrib/bind-9.3/lib/isc/include/isc/list.h
+++ b/contrib/bind-9.3/lib/isc/include/isc/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.18.2.2.8.1 2004/03/06 08:14:43 marka Exp $ */
+/* $Id: list.h,v 1.18.2.2.8.3 2006/06/06 00:11:40 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
@@ -90,12 +90,16 @@
 	do { \
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			ISC_INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			ISC_INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		(elt)->link.prev = (type *)(-1); \
 		(elt)->link.next = (type *)(-1); \
 	} while (0)
diff --git a/contrib/bind-9.3/lib/isc/include/isc/sockaddr.h b/contrib/bind-9.3/lib/isc/include/isc/sockaddr.h
index 1ffbca640f..88e45940ca 100644
--- a/contrib/bind-9.3/lib/isc/include/isc/sockaddr.h
+++ b/contrib/bind-9.3/lib/isc/include/isc/sockaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.35.12.8 2005/07/29 00:13:10 marka Exp $ */
+/* $Id: sockaddr.h,v 1.35.12.10 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
@@ -141,7 +141,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
  */
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
 /*
  * Get the port stored in 'sockaddr'.
  */
@@ -168,25 +168,25 @@ isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
  */
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
 
 isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sa);
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a link local addresss.
  */
 
 isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sa);
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a sitelocal address.
  */
diff --git a/contrib/bind-9.3/lib/isc/include/isc/symtab.h b/contrib/bind-9.3/lib/isc/include/isc/symtab.h
index d8dbd2107e..b22fe81596 100644
--- a/contrib/bind-9.3/lib/isc/include/isc/symtab.h
+++ b/contrib/bind-9.3/lib/isc/include/isc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.16.206.1 2004/03/06 08:14:49 marka Exp $ */
+/* $Id: symtab.h,v 1.16.206.3 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -88,6 +88,7 @@
 
 typedef union isc_symvalue {
 	void *				as_pointer;
+	const void *			as_cpointer;
 	int				as_integer;
 	unsigned int			as_uinteger;
 } isc_symvalue_t;
diff --git a/contrib/bind-9.3/lib/isc/lex.c b/contrib/bind-9.3/lib/isc/lex.c
index bb832dd0b4..3511d6bd0e 100644
--- a/contrib/bind-9.3/lib/isc/lex.c
+++ b/contrib/bind-9.3/lib/isc/lex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.66.2.6.2.8 2004/08/28 06:25:21 marka Exp $ */
+/* $Id: lex.c,v 1.66.2.6.2.10 2006/01/04 23:50:21 marka Exp $ */
 
 #include <config.h>
 
@@ -372,9 +372,6 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 	source = HEAD(lex->sources);
 	REQUIRE(tokenp != NULL);
 
-	lex->saved_paren_count = lex->paren_count;
-	source->saved_line = source->line;
-
 	if (source == NULL) {
 		if ((options & ISC_LEXOPT_NOMORE) != 0) {
 			tokenp->type = isc_tokentype_nomore;
@@ -386,6 +383,9 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 	if (source->result != ISC_R_SUCCESS)
 		return (source->result);
 
+	lex->saved_paren_count = lex->paren_count;
+	source->saved_line = source->line;
+
 	if (isc_buffer_remaininglength(source->pushback) == 0 &&
 	    source->at_eof)
 	{
@@ -633,9 +633,13 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			remaining--;
 			break;
 		case lexstate_string:
-			if ((!escaped &&
-			     (c == ' ' || c == '\t' || lex->specials[c])) ||
-			    c == '\r' || c == '\n' || c == EOF) {
+			/*
+			 * EOF needs to be checked before lex->specials[c]
+			 * as lex->specials[EOF] is not a good idea.
+			 */
+			if (c == '\r' || c == '\n' || c == EOF ||
+			    (!escaped &&
+			     (c == ' ' || c == '\t' || lex->specials[c]))) {
 				pushback(source, c);
 				if (source->result != ISC_R_SUCCESS) {
 					result = source->result;
diff --git a/contrib/bind-9.3/lib/isc/log.c b/contrib/bind-9.3/lib/isc/log.c
index 247b25339d..511573bcc3 100644
--- a/contrib/bind-9.3/lib/isc/log.c
+++ b/contrib/bind-9.3/lib/isc/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.70.2.8.2.12 2004/06/11 00:35:38 marka Exp $ */
+/* $Id: log.c,v 1.70.2.8.2.14 2006/03/02 00:37:20 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -1728,8 +1728,9 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				syslog_level = syslog_map[-level];
 
 			(void)syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s%s%s",
+			       "%s%s%s%s%s%s%s%s%s%s",
 			       printtime     ? time_string	: "",
+			       printtime     ? " "		: "",
 			       printtag      ? lcfg->tag	: "",
 			       printtag      ? ": "		: "",
 			       printcategory ? category->name	: "",
diff --git a/contrib/bind-9.3/lib/isc/netscope.c b/contrib/bind-9.3/lib/isc/netscope.c
index 843c46df9e..8df448399c 100644
--- a/contrib/bind-9.3/lib/isc/netscope.c
+++ b/contrib/bind-9.3/lib/isc/netscope.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,9 +17,11 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: netscope.c,v 1.5.142.7 2004/03/12 10:31:26 marka Exp $";
+	"$Id: netscope.c,v 1.5.142.9 2006/08/25 05:25:50 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
+#include <config.h>
+
 #include <isc/string.h>
 #include <isc/net.h>
 #include <isc/netscope.h>
diff --git a/contrib/bind-9.3/lib/isc/nothreads/condition.c b/contrib/bind-9.3/lib/isc/nothreads/condition.c
index 0bc6196a1a..395d52f7d3 100644
--- a/contrib/bind-9.3/lib/isc/nothreads/condition.c
+++ b/contrib/bind-9.3/lib/isc/nothreads/condition.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
+/* $Id: condition.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <isc/util.h>
 
diff --git a/contrib/bind-9.3/lib/isc/nothreads/mutex.c b/contrib/bind-9.3/lib/isc/nothreads/mutex.c
index cc7572a697..a707947fe9 100644
--- a/contrib/bind-9.3/lib/isc/nothreads/mutex.c
+++ b/contrib/bind-9.3/lib/isc/nothreads/mutex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
+/* $Id: mutex.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <isc/util.h>
 
diff --git a/contrib/bind-9.3/lib/isc/print.c b/contrib/bind-9.3/lib/isc/print.c
index 6542fe4f19..ee50b29e5d 100644
--- a/contrib/bind-9.3/lib/isc/print.c
+++ b/contrib/bind-9.3/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.22.2.3.2.3 2004/03/06 08:14:33 marka Exp $ */
+/* $Id: print.c,v 1.22.2.3.2.4 2006/04/17 18:27:20 explorer Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <ctype.h>
-#include <stdio.h>		/* for sprintf */
+#include <stdio.h>		/* for sprintf() */
+#include <string.h>		/* for strlen() */
 
 #define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
 
@@ -41,7 +44,7 @@ isc_print_sprintf(char *str, const char *format, ...) {
 	return (strlen(str));
 }
 
-/*
+/*!
  * Return length of string that would have been written if not truncated.
  */
 
@@ -57,7 +60,7 @@ isc_print_snprintf(char *str, size_t size, const char *format, ...) {
 
 }
 
-/*
+/*!
  * Return length of string that would have been written if not truncated.
  */
 
diff --git a/contrib/bind-9.3/lib/isc/sockaddr.c b/contrib/bind-9.3/lib/isc/sockaddr.c
index 4c47e4e06b..a40f0c9ccf 100644
--- a/contrib/bind-9.3/lib/isc/sockaddr.c
+++ b/contrib/bind-9.3/lib/isc/sockaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.48.2.1.2.10 2004/05/15 03:46:12 jinmei Exp $ */
+/* $Id: sockaddr.c,v 1.48.2.1.2.12 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -400,7 +400,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
 }
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
 	in_port_t port = 0;
 
 	switch (sockaddr->type.sa.sa_family) {
@@ -422,7 +422,7 @@ isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
@@ -430,7 +430,7 @@ isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET) {
@@ -441,7 +441,7 @@ isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET6) {
@@ -452,7 +452,7 @@ isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET6) {
diff --git a/contrib/bind-9.3/lib/isc/taskpool.c b/contrib/bind-9.3/lib/isc/taskpool.c
index 0b400bf722..a3931a9fb9 100644
--- a/contrib/bind-9.3/lib/isc/taskpool.c
+++ b/contrib/bind-9.3/lib/isc/taskpool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.10.12.3 2004/03/08 09:04:50 marka Exp $ */
+/* $Id: taskpool.c,v 1.10.12.5 2006/01/04 23:50:21 marka Exp $ */
 
 #include <config.h>
 
@@ -52,6 +52,10 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 	pool->mctx = mctx;
 	pool->ntasks = ntasks;
 	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	if (pool->tasks == NULL) {
+		isc_mem_put(mctx, pool, sizeof(*pool));
+		return (ISC_R_NOMEMORY);
+	}
 	for (i = 0; i < ntasks; i++)
 		pool->tasks[i] = NULL;
 	for (i = 0; i < ntasks; i++) {
diff --git a/contrib/bind-9.3/lib/isc/timer.c b/contrib/bind-9.3/lib/isc/timer.c
index 5426079397..6a6acf6bb0 100644
--- a/contrib/bind-9.3/lib/isc/timer.c
+++ b/contrib/bind-9.3/lib/isc/timer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.64.12.11 2005/10/27 00:27:29 marka Exp $ */
+/* $Id: timer.c,v 1.64.12.13 2006/01/04 23:50:21 marka Exp $ */
 
 #include <config.h>
 
@@ -212,9 +212,10 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 		isc_time_t then;
 
 		isc_interval_set(&fifteen, 15, 0);
-		isc_time_add(&manager->due, &fifteen, &then);
+		result = isc_time_add(&manager->due, &fifteen, &then);
 
-		if (isc_time_compare(&then, now) < 0) {
+		if (result == ISC_R_SUCCESS &&
+		    isc_time_compare(&then, now) < 0) {
 			SIGNAL(&manager->wakeup);
 			signal_ok = ISC_FALSE;
 			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
@@ -347,8 +348,10 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 
 	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
 		result = isc_time_add(&now, interval, &timer->idle);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(manager->mctx, timer, sizeof(*timer));
 			return (result);
+		}
 	} else
 		isc_time_settoepoch(&timer->idle);
 
diff --git a/contrib/bind-9.3/lib/isc/unix/entropy.c b/contrib/bind-9.3/lib/isc/unix/entropy.c
index 50506634e4..d52849aa35 100644
--- a/contrib/bind-9.3/lib/isc/unix/entropy.c
+++ b/contrib/bind-9.3/lib/isc/unix/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.60.2.3.8.11 2005/07/12 05:47:43 marka Exp $ */
+/* $Id: entropy.c,v 1.60.2.3.8.14 2006/03/02 23:29:17 marka Exp $ */
 
 /*
  * This is the system depenedent part of the ISC entropy API.
@@ -127,7 +127,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 		switch ( source->sources.usocket.status ) {
 		case isc_usocketsource_ndesired:
 			buf[0] = ndesired;
-			if ((n = send(fd, buf, 1, 0)) < 0) {
+			if ((n = sendto(fd, buf, 1, 0, NULL, 0)) < 0) {
 				if (errno == EWOULDBLOCK || errno == EINTR ||
 				    errno == ECONNRESET)
 					goto out;
@@ -142,7 +142,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 		case isc_usocketsource_connected:
 			buf[0] = 1;
 			buf[1] = ndesired;
-			if ((n = send(fd, buf, 2, 0)) < 0) {
+			if ((n = sendto(fd, buf, 2, 0, NULL, 0)) < 0) {
 				if (errno == EWOULDBLOCK || errno == EINTR ||
 				    errno == ECONNRESET)
 					goto out;
@@ -159,12 +159,12 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 			/*FALLTHROUGH*/
 		
 		case isc_usocketsource_wrote:
-			if (recv(fd, buf, 1, 0) != 1) {
+			if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) {
 				if (errno == EAGAIN) {
 					/*
 					 * The problem of EAGAIN (try again
 					 * later) is a major issue on HP-UX.
-					 * Solaris actually tries the recv
+					 * Solaris actually tries the recvfrom
 					 * call again, while HP-UX just dies. 
 					 * This code is an attempt to let the
 					 * entropy pool fill back up (at least
@@ -503,7 +503,7 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	if (S_ISSOCK(_stat.st_mode))
 		is_usocket = ISC_TRUE;
 #endif
-#if defined(S_ISFIFO)
+#if defined(S_ISFIFO) && defined(sun)
 	if (S_ISFIFO(_stat.st_mode))
 		is_usocket = ISC_TRUE;
 #endif
diff --git a/contrib/bind-9.3/lib/isc/unix/fsaccess.c b/contrib/bind-9.3/lib/isc/unix/fsaccess.c
index 5fa4fb4749..3745ca227f 100644
--- a/contrib/bind-9.3/lib/isc/unix/fsaccess.c
+++ b/contrib/bind-9.3/lib/isc/unix/fsaccess.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.6.206.1 2004/03/06 08:14:59 marka Exp $ */
+/* $Id: fsaccess.c,v 1.6.206.3 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/stat.h>
diff --git a/contrib/bind-9.3/lib/isc/unix/ifiter_ioctl.c b/contrib/bind-9.3/lib/isc/unix/ifiter_ioctl.c
index 0b01b96f94..68a13651bc 100644
--- a/contrib/bind-9.3/lib/isc/unix/ifiter_ioctl.c
+++ b/contrib/bind-9.3/lib/isc/unix/ifiter_ioctl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.17 2005/10/14 02:13:07 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.19 2006/02/03 23:51:37 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
@@ -529,7 +529,8 @@ internal_current4(isc_interfaceiter_t *iter) {
 #endif
 
 	REQUIRE(VALID_IFITER(iter));
-	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
+	REQUIRE(iter->ifc.ifc_len == 0 ||
+		iter->pos < (unsigned int) iter->ifc.ifc_len);
 
 #ifdef __linux
 	result = linux_if_inet6_current(iter);
@@ -538,6 +539,9 @@ internal_current4(isc_interfaceiter_t *iter) {
 	iter->first = ISC_TRUE;
 #endif
 
+	if (iter->ifc.ifc_len == 0)
+		return (ISC_R_NOMORE);
+
 	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
 
 	memset(&ifreq, 0, sizeof(ifreq));
diff --git a/contrib/bind-9.3/lib/isc/unix/ipv6.c b/contrib/bind-9.3/lib/isc/unix/ipv6.c
index 25e0c57b09..f11262f599 100644
--- a/contrib/bind-9.3/lib/isc/unix/ipv6.c
+++ b/contrib/bind-9.3/lib/isc/unix/ipv6.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.7.206.1 2004/03/06 08:15:00 marka Exp $ */
+/* $Id: ipv6.c,v 1.7.206.3 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <isc/ipv6.h>
 
diff --git a/contrib/bind-9.3/lib/isc/unix/socket.c b/contrib/bind-9.3/lib/isc/unix/socket.c
index 595990f995..f95e3c8f75 100644
--- a/contrib/bind-9.3/lib/isc/unix/socket.c
+++ b/contrib/bind-9.3/lib/isc/unix/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.19.2.22 2005/11/03 23:08:42 marka Exp $ */
+/* $Id: socket.c,v 1.207.2.19.2.26 2006/05/19 02:53:36 marka Exp $ */
 
 #include <config.h>
 
@@ -109,7 +109,7 @@ typedef isc_event_t intev_t;
  * to collect the destination address and interface so the client can
  * set them on outgoing packets.
  */
-#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 #ifndef USE_CMSG
 #define USE_CMSG	1
 #endif
@@ -747,8 +747,26 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 
 	if (sock->type == isc_sockettype_udp) {
 		memset(&dev->address, 0, sizeof(dev->address));
+#ifdef BROKEN_RECVMSG
+		if (sock->pf == AF_INET) {
+			msg->msg_name = (void *)&dev->address.type.sin;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+		} else if (sock->pf == AF_INET6) {
+			msg->msg_name = (void *)&dev->address.type.sin6;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		} else if (sock->pf == AF_UNIX) {
+			msg->msg_name = (void *)&dev->address.type.sunix;
+			msg->msg_namelen = sizeof(dev->address.type.sunix);
+#endif
+		} else {
+			msg->msg_name = (void *)&dev->address.type.sa;
+			msg->msg_namelen = sizeof(dev->address.type);
+		}
+#else
 		msg->msg_name = (void *)&dev->address.type.sa;
 		msg->msg_namelen = sizeof(dev->address.type);
+#endif
 #ifdef ISC_NET_RECVOVERFLOW
 		/* If needed, steal one iovec for overflow detection. */
 		maxiov--;
@@ -921,6 +939,10 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 	cc = recvmsg(sock->fd, &msghdr, 0);
 	recv_errno = errno;
 
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif
+
 	if (cc < 0) {
 		if (SOFT_ERROR(recv_errno))
 			return (DOIO_SOFT);
@@ -2681,8 +2703,8 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
 		dev->pktinfo = *pktinfo;
 
-		if (!isc_sockaddr_issitelocal(address) &&
-		    !isc_sockaddr_islinklocal(address)) {
+		if (!isc_sockaddr_issitelocal(&dev->address) &&
+		    !isc_sockaddr_islinklocal(&dev->address)) {
 			socket_log(sock, NULL, TRACE, isc_msgcat,
 				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
 				   "pktinfo structure provided, ifindex %u "
diff --git a/contrib/bind-9.3/lib/isccc/api b/contrib/bind-9.3/lib/isccc/api
index 4f115e73f2..8c77091b90 100644
--- a/contrib/bind-9.3/lib/isccc/api
+++ b/contrib/bind-9.3/lib/isccc/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 2
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 2
diff --git a/contrib/bind-9.3/lib/isccfg/include/isccfg/cfg.h b/contrib/bind-9.3/lib/isccfg/include/isccfg/cfg.h
index b4081cd7b3..c4867199b9 100644
--- a/contrib/bind-9.3/lib/isccfg/include/isccfg/cfg.h
+++ b/contrib/bind-9.3/lib/isccfg/include/isccfg/cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.30.12.4 2004/03/08 09:05:07 marka Exp $ */
+/* $Id: cfg.h,v 1.30.12.6 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -74,7 +74,7 @@ typedef struct cfg_listelt cfg_listelt_t;
  * "directory".
  */
 typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
+(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
 
 /***
  *** Functions
@@ -143,20 +143,20 @@ cfg_parser_destroy(cfg_parser_t **pctxp);
  */
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj);
+cfg_obj_isvoid(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of void type (e.g., an optional 
  * value not specified).
  */
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj);
+cfg_obj_ismap(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
 /*
  * Extract an element from a configuration object, which
  * must be of a map type.
@@ -171,8 +171,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
  *      ISC_R_NOTFOUND                 - name not found in map
  */
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj);
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj);
 /*
  * Get the name of a named map object, like a server "key" clause.
  *
@@ -185,13 +185,13 @@ cfg_map_getname(cfg_obj_t *mapobj);
  */
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj);
+cfg_obj_istuple(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
 /*
  * Extract an element from a configuration object, which
  * must be of a tuple type.
@@ -203,13 +203,13 @@ cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
  */
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj);
+cfg_obj_isuint32(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj);
+cfg_obj_asuint32(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 32-bit integer type.
  *
@@ -221,13 +221,13 @@ cfg_obj_asuint32(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj);
+cfg_obj_isuint64(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj);
+cfg_obj_asuint64(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 64-bit integer type.
  *
@@ -239,13 +239,13 @@ cfg_obj_asuint64(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj);
+cfg_obj_isstring(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of string type.
  */
 
-char *
-cfg_obj_asstring(cfg_obj_t *obj);
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a string type
  * as a null-terminated string.
@@ -258,13 +258,13 @@ cfg_obj_asstring(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj);
+cfg_obj_isboolean(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a boolean type.
  */
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj);
+cfg_obj_asboolean(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a boolean type.
  *
@@ -276,13 +276,13 @@ cfg_obj_asboolean(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj);
+cfg_obj_issockaddr(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a socket address.
  */
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj);
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object representing a socket address.
  *
@@ -295,13 +295,13 @@ cfg_obj_assockaddr(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj);
+cfg_obj_isnetprefix(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a network prefix.
  */
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen);
 /*
  * Gets the value of a configuration object representing a network
@@ -314,13 +314,13 @@ cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
  */
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj);
+cfg_obj_islist(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of list type.
  */
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj);
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj);
 /*
  * Returns the first list element in a configuration object of a list type.
  *
@@ -332,8 +332,8 @@ cfg_list_first(cfg_obj_t *obj);
  * 	or NULL if the list is empty or nonexistent.
  */
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt);
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt);
 /*
  * Returns the next element of a list of configuration objects.
  *
@@ -346,8 +346,8 @@ cfg_list_next(cfg_listelt_t *elt);
  * 	or NULL if there are no more elements.
  */
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt);
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt);
 /*
  * Returns the configuration object associated with cfg_listelt_t.
  *
@@ -360,7 +360,7 @@ cfg_listelt_value(cfg_listelt_t *elt);
  */
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
 /*
@@ -378,7 +378,7 @@ cfg_print_grammar(const cfg_type_t *type,
  */
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
 /*
  * Return true iff 'obj' is of type 'type'. 
  */
@@ -389,7 +389,8 @@ void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
  */
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+            const char *fmt, ...)
 	ISC_FORMAT_PRINTF(4, 5);
 /*
  * Log a message concerning configuration object 'obj' to the logging
@@ -398,13 +399,13 @@ cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
  */
 
 const char *
-cfg_obj_file(cfg_obj_t *obj);
+cfg_obj_file(const cfg_obj_t *obj);
 /*
  * Return the file that defined this object.
  */
 
 unsigned int
-cfg_obj_line(cfg_obj_t *obj);
+cfg_obj_line(const cfg_obj_t *obj);
 /*
  * Return the line in file where this object was defined.
  */
diff --git a/contrib/bind-9.3/lib/isccfg/include/isccfg/grammar.h b/contrib/bind-9.3/lib/isccfg/include/isccfg/grammar.h
index 92b142b7ac..4aaeb4ff47 100644
--- a/contrib/bind-9.3/lib/isccfg/include/isccfg/grammar.h
+++ b/contrib/bind-9.3/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.3.50.4 2004/11/30 01:15:44 marka Exp $ */
+/* $Id: grammar.h,v 1.3.50.6 2006/03/02 00:37:20 marka Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -63,7 +63,7 @@ typedef struct cfg_rep cfg_rep_t;
 
 typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
 					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
 typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
 typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
 
@@ -156,7 +156,7 @@ struct cfg_obj {
 		isc_sockaddr_t	sockaddr;
 		cfg_netprefix_t netprefix;
 	}               value;
-	char *		file;
+	const char *	file;
 	unsigned int    line;
 };
 
@@ -274,16 +274,16 @@ isc_result_t
 cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -292,7 +292,7 @@ isc_result_t
 cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
 
 void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na);
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na);
 
 isc_boolean_t
 cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
@@ -304,7 +304,7 @@ isc_result_t
 cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -323,7 +323,7 @@ isc_result_t
 cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -339,7 +339,7 @@ isc_result_t
 cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -348,7 +348,7 @@ isc_result_t
 cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -374,7 +374,7 @@ isc_result_t
 cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -383,7 +383,7 @@ isc_result_t
 cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -392,7 +392,7 @@ isc_result_t
 cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -401,7 +401,7 @@ isc_result_t
 cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
diff --git a/contrib/bind-9.3/lib/isccfg/namedconf.c b/contrib/bind-9.3/lib/isccfg/namedconf.c
index bfc5dda425..d54bbe23c4 100644
--- a/contrib/bind-9.3/lib/isccfg/namedconf.c
+++ b/contrib/bind-9.3/lib/isccfg/namedconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.21.44.32 2005/10/26 05:06:40 marka Exp $ */
+/* $Id: namedconf.c,v 1.21.44.34 2006/03/02 00:37:20 marka Exp $ */
 
 #include <config.h>
 
@@ -58,7 +58,7 @@ static isc_result_t
 parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
 doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -428,7 +428,7 @@ static cfg_type_t cfg_type_transferformat = {
  */
 
 static void
-print_none(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_none(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
 	cfg_print_chars(pctx, "none", 4);
 }
@@ -469,7 +469,7 @@ static cfg_type_t cfg_type_qstringornone = {
  */
 
 static void
-print_hostname(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
 	cfg_print_chars(pctx, "hostname", 4);
 }
@@ -1127,7 +1127,7 @@ parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 }
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	const keyword_type_t *kw = obj->type->of;
 	cfg_print_cstr(pctx, kw->name);
 	cfg_print_chars(pctx, " ", 1);
@@ -1332,7 +1332,7 @@ parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t na;
 	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
 	cfg_print_chars(pctx, "address ", 8);
@@ -1408,7 +1408,7 @@ static cfg_tuplefielddef_t negated_fields[] = {
 };
 
 static void
-print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, "!", 1);
 	cfg_print_tuple(pctx, obj);
 }
@@ -1625,7 +1625,7 @@ parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
 	if (obj->value.tuple[1]->type->print != cfg_print_void) {
 		cfg_print_chars(pctx, " versions ", 10);
diff --git a/contrib/bind-9.3/lib/isccfg/parser.c b/contrib/bind-9.3/lib/isccfg/parser.c
index f72c3c2b92..42ce9f0c03 100644
--- a/contrib/bind-9.3/lib/isccfg/parser.c
+++ b/contrib/bind-9.3/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.70.2.20.2.18 2004/05/15 03:46:13 jinmei Exp $ */
+/* $Id: parser.c,v 1.70.2.20.2.21 2006/02/28 06:32:54 marka Exp $ */
 
 #include <config.h>
 
@@ -68,7 +68,7 @@ static isc_result_t
 parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
 free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
@@ -134,7 +134,7 @@ static cfg_type_t cfg_type_implicitlist = {
 /* Functions. */
 
 void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	obj->type->print(pctx, obj);
 }
 
@@ -177,7 +177,7 @@ cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure)
 {
@@ -243,14 +243,14 @@ cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields = obj->type->of;
 	const cfg_tuplefielddef_t *f;
 	isc_boolean_t need_space = ISC_FALSE;
 
 	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		cfg_obj_t *fieldobj = obj->value.tuple[i];
+		const cfg_obj_t *fieldobj = obj->value.tuple[i];
 		if (need_space)
 			cfg_print_chars(pctx, " ", 1);
 		cfg_print_obj(pctx, fieldobj);
@@ -291,13 +291,13 @@ free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj) {
+cfg_obj_istuple(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
 }
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
@@ -548,7 +548,7 @@ cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(pctx);
 	UNUSED(obj);
 }
@@ -560,7 +560,7 @@ cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj) {
+cfg_obj_isvoid(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_void));
 }
@@ -606,18 +606,18 @@ cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
 }
 
 void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_rawuint(pctx, obj->value.uint32);
 }
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj) {
+cfg_obj_isuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
 }
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj) {
+cfg_obj_asuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
 	return (obj->value.uint32);
 }
@@ -632,19 +632,19 @@ cfg_type_t cfg_type_uint32 = {
  * uint64
  */
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj) {
+cfg_obj_isuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
 }
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj) {
+cfg_obj_asuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
 	return (obj->value.uint64);
 }
 
 void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	char buf[32];
 	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
 		 obj->value.uint64);
@@ -723,7 +723,9 @@ parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
         isc_result_t result;
 	UNUSED(type);
 
@@ -781,12 +783,12 @@ cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
 }
 
 static void
-print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, "\"", 1);
 	cfg_print_ustring(pctx, obj);
 	cfg_print_chars(pctx, "\"", 1);
@@ -799,13 +801,13 @@ free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj) {
+cfg_obj_isstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_string));
 }
 
-char *
-cfg_obj_asstring(cfg_obj_t *obj) {
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
 	return (obj->value.string.base);
 }
@@ -833,13 +835,13 @@ cfg_type_t cfg_type_astring = {
  */
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj) {
+cfg_obj_isboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
 }
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj) {
+cfg_obj_asboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
 	return (obj->value.boolean);
 }
@@ -885,7 +887,7 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.boolean)
 		cfg_print_chars(pctx, "yes", 3);
 	else
@@ -999,9 +1001,9 @@ parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 }
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -1025,7 +1027,7 @@ cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
 }
 
 void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print_open(pctx);
 	print_list(pctx, obj);
 	print_close(pctx);
@@ -1072,9 +1074,9 @@ cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
 }
 
 void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -1087,27 +1089,27 @@ cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
 
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj) {
+cfg_obj_islist(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_list));
 }
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj) {
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj) {
 	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
 	if (obj == NULL)
 		return (NULL);
 	return (ISC_LIST_HEAD(obj->value.list));
 }
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt) {
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (ISC_LIST_NEXT(elt, link));
 }
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt) {
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (elt->obj);
 }
@@ -1366,7 +1368,7 @@ cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 }
 
 void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 	const cfg_clausedef_t * const *clauseset;
@@ -1446,7 +1448,7 @@ static struct flagtext {
 };
 
 void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.map.id != NULL) {
 		cfg_print_obj(pctx, obj->value.map.id);
 		cfg_print_chars(pctx, " ", 1);
@@ -1505,16 +1507,16 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj) {
+cfg_obj_ismap(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_map));
 }
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
 	isc_result_t result;
 	isc_symvalue_t val;
-	cfg_map_t *map;
+	const cfg_map_t *map;
 	
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	REQUIRE(name != NULL);
@@ -1529,8 +1531,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
 	return (ISC_R_SUCCESS);
 }
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj) {
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj) {
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	return (mapobj->value.map.id);
 }
@@ -1556,12 +1558,19 @@ parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
 
 	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
+	if (obj->value.string.base == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
 	obj->value.string.length = r.length;
 	memcpy(obj->value.string.base, r.base, r.length);
 	obj->value.string.base[r.length] = '\0';
 	*ret = obj;
+	return (result);
 
  cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
 	return (result);
 }
 
@@ -1753,7 +1762,7 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
 }
 
 void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
 	isc_result_t result;
 	char text[128];
 	isc_buffer_t buf;
@@ -1843,21 +1852,22 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
 }
 
 static void
-print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_netprefix_t *p = &obj->value.netprefix;
+print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_netprefix_t *p = &obj->value.netprefix;
+
 	cfg_print_rawaddr(pctx, &p->address);
 	cfg_print_chars(pctx, "/", 1);
 	cfg_print_rawuint(pctx, p->prefixlen);
 }
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj) {
+cfg_obj_isnetprefix(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
 }
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
 	*netaddr = obj->value.netprefix.address;
@@ -1908,7 +1918,7 @@ cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t netaddr;
 	in_port_t port;
 	char buf[ISC_NETADDR_FORMATSIZE];
@@ -1929,8 +1939,6 @@ cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
 	int n = 0;
 	cfg_print_chars(pctx, "( ", 2);
 	if (*flagp & CFG_ADDR_V4OK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
 		cfg_print_cstr(pctx, "<ipv4_address>");
 		n++;
 	}
@@ -1955,13 +1963,13 @@ cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj) {
+cfg_obj_issockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
 }
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj) {
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
 	return (&obj->value.sockaddr);
 }
@@ -2158,7 +2166,8 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 }
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+	    const char *fmt, ...) {
 	va_list ap;
 	char msgbuf[2048];
 
@@ -2176,12 +2185,12 @@ cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
 }
 
 const char *
-cfg_obj_file(cfg_obj_t *obj) {
+cfg_obj_file(const cfg_obj_t *obj) {
 	return (obj->file);
 }
 
 unsigned int
-cfg_obj_line(cfg_obj_t *obj) {
+cfg_obj_line(const cfg_obj_t *obj) {
 	return (obj->line);
 }
 
@@ -2223,7 +2232,6 @@ create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
 				map_symtabitem_destroy,
 				pctx, ISC_FALSE, &symtab));
-
 	obj->value.map.symtab = symtab;
 	obj->value.map.id = NULL;
 
@@ -2243,7 +2251,7 @@ free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
 	return (ISC_TF(obj->type == type));
 }
 
diff --git a/contrib/bind-9.3/lib/lwres/api b/contrib/bind-9.3/lib/lwres/api
index 0ab1e92dc2..63704dd62a 100644
--- a/contrib/bind-9.3/lib/lwres/api
+++ b/contrib/bind-9.3/lib/lwres/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 10
-LIBREVISION = 1
+LIBREVISION = 5
 LIBAGE = 1
diff --git a/contrib/bind-9.3/lib/lwres/gai_strerror.c b/contrib/bind-9.3/lib/lwres/gai_strerror.c
index ae819dda4b..06b7fbe1ef 100644
--- a/contrib/bind-9.3/lib/lwres/gai_strerror.c
+++ b/contrib/bind-9.3/lib/lwres/gai_strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.14.2.1.10.1 2004/03/06 08:15:30 marka Exp $ */
+/* $Id: gai_strerror.c,v 1.14.2.1.10.3 2006/08/25 05:25:50 marka Exp $ */
+
+#include <config.h>
 
 #include <lwres/netdb.h>
 
diff --git a/contrib/bind-9.3/lib/lwres/getaddrinfo.c b/contrib/bind-9.3/lib/lwres/getaddrinfo.c
index c06327446b..9ad10dfd7e 100644
--- a/contrib/bind-9.3/lib/lwres/getaddrinfo.c
+++ b/contrib/bind-9.3/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.41.206.3 2005/06/09 23:54:33 marka Exp $ */
+/* $Id: getaddrinfo.c,v 1.41.206.6 2006/11/13 11:57:41 marka Exp $ */
 
 #include <config.h>
 
@@ -325,8 +325,10 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
 						      NULL, 0,
 						      NI_NUMERICHOST) == 0) {
 					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL)
+					if (ai->ai_canonname == NULL) {
+						lwres_freeaddrinfo(ai_list);
 						return (EAI_MEMORY);
+					}
 				} else {
 					/* XXX raise error? */
 					ai->ai_canonname = NULL;
@@ -435,7 +437,7 @@ static char v4_loop[4] = { 127, 0, 0, 1 };
  * The test against 0 is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
  */
-#define ERR(code) \
+#define SETERROR(code) \
 	do { result = (code);			\
 		if (result != 0) goto cleanup;	\
 	} while (0)
@@ -453,13 +455,13 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 
 	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
 	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
+		SETERROR(EAI_FAIL);
 	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
 	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
 		ai = ai_clone(*aip, AF_INET);
 		if (ai == NULL) {
 			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
+			SETERROR(EAI_MEMORY);
 		}
 
 		*aip = ai;
@@ -473,14 +475,14 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 			if (lwres == LWRES_R_NOTFOUND)
 				goto cleanup;
 			else
-				ERR(EAI_FAIL);
+				SETERROR(EAI_FAIL);
 		}
 		addr = LWRES_LIST_HEAD(by->addrs);
 		while (addr != NULL) {
 			ai = ai_clone(*aip, AF_INET);
 			if (ai == NULL) {
 				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
+				SETERROR(EAI_MEMORY);
 			}
 			*aip = ai;
 			ai->ai_socktype = socktype;
@@ -490,7 +492,7 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 			if (flags & AI_CANONNAME) {
 				ai->ai_canonname = strdup(by->realname);
 				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
+					SETERROR(EAI_MEMORY);
 			}
 			addr = LWRES_LIST_NEXT(addr, link);
 		}
@@ -520,14 +522,14 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 
 	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
 	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
+		SETERROR(EAI_FAIL);
 	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
 
 	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
 		ai = ai_clone(*aip, AF_INET6);
 		if (ai == NULL) {
 			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
+			SETERROR(EAI_MEMORY);
 		}
 
 		*aip = ai;
@@ -541,14 +543,14 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 			if (lwres == LWRES_R_NOTFOUND)
 				goto cleanup;
 			else
-				ERR(EAI_FAIL);
+				SETERROR(EAI_FAIL);
 		}
 		addr = LWRES_LIST_HEAD(by->addrs);
 		while (addr != NULL) {
 			ai = ai_clone(*aip, AF_INET6);
 			if (ai == NULL) {
 				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
+				SETERROR(EAI_MEMORY);
 			}
 			*aip = ai;
 			ai->ai_socktype = socktype;
@@ -558,7 +560,7 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 			if (flags & AI_CANONNAME) {
 				ai->ai_canonname = strdup(by->realname);
 				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
+					SETERROR(EAI_MEMORY);
 			}
 			addr = LWRES_LIST_NEXT(addr, link);
 		}
diff --git a/contrib/bind-9.3/lib/lwres/lwconfig.c b/contrib/bind-9.3/lib/lwres/lwconfig.c
index 7fc2c5d0ef..4b4886bf0e 100644
--- a/contrib/bind-9.3/lib/lwres/lwconfig.c
+++ b/contrib/bind-9.3/lib/lwres/lwconfig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.33.2.1.2.8 2005/06/08 02:35:21 marka Exp $ */
+/* $Id: lwconfig.c,v 1.33.2.1.2.10 2006/10/03 23:50:50 marka Exp $ */
 
 /***
  *** Module for parsing resolv.conf files.
@@ -559,7 +559,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 
 	errno = 0;
 	if ((fp = fopen(filename, "r")) == NULL)
-		return (LWRES_R_FAILURE);
+		return (LWRES_R_NOTFOUND);
 
 	ret = LWRES_R_SUCCESS;
 	do {
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres.3 b/contrib/bind-9.3/lib/lwres/man/lwres.3
index 3411eac92b..886f1f1b1a 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.15.206.5 2005/10/13 02:33:58 marka Exp $
+.\" $Id: lwres.3,v 1.15.206.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -155,3 +158,5 @@ bit should be set.
 \fBlwres_config\fR(3),
 \fBresolver\fR(5),
 \fBlwresd\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres.html b/contrib/bind-9.3/lib/lwres/man/lwres.html
index 1d5e57bfd2..02af1f7d98 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.4.2.1.4.9 2005/10/13 02:33:54 marka Exp $ -->
+<!-- $Id: lwres.html,v 1.4.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres &#8212; introduction to the lightweight resolver library</p>
@@ -32,7 +32,7 @@
 <div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525832"></a><h2>DESCRIPTION</h2>
+<a name="id2549397"></a><h2>DESCRIPTION</h2>
 <p>
 The BIND 9 lightweight resolver library is a simple, name service
 independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@ UDP-based protocol.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525845"></a><h2>OVERVIEW</h2>
+<a name="id2549410"></a><h2>OVERVIEW</h2>
 <p>
 The lwresd library implements multiple name service APIs.
 The standard
@@ -101,7 +101,7 @@ and servers is outlined in the following sections.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525909"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2549474"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
 When a client program wishes to make an lwres request using the
 native low-level API, it typically performs the following 
@@ -147,7 +147,7 @@ packet specific information contained in the body.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526056"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2549689"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
 When implementing the server side of the lightweight resolver
 protocol using the lwres library, a sequence of actions like the
@@ -188,7 +188,7 @@ set.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526141"></a><h2>SEE ALSO</h2>
+<a name="id2549774"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_buffer.3 b/contrib/bind-9.3/lib/lwres/man/lwres_buffer.3
index 93e888b0c3..62312379c1 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_buffer.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_buffer.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.12.2.1.8.5 2005/10/13 02:33:58 marka Exp $
+.\" $Id: lwres_buffer.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_buffer
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,37 +36,37 @@ lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtr
 #include <lwres/lwbuffer.h>
 .fi
 .HP 23
-\fBvoid\ \fBlwres_buffer_init\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBvoid\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_init(lwres_buffer_t\ *b, void\ *base, unsigned\ int\ length);"
 .HP 29
-\fBvoid\ \fBlwres_buffer_invalidate\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *b);"
 .HP 22
-\fBvoid\ \fBlwres_buffer_add\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_add(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 27
-\fBvoid\ \fBlwres_buffer_subtract\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_subtract(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 24
-\fBvoid\ \fBlwres_buffer_clear\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_clear(lwres_buffer_t\ *b);"
 .HP 24
-\fBvoid\ \fBlwres_buffer_first\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_first(lwres_buffer_t\ *b);"
 .HP 26
-\fBvoid\ \fBlwres_buffer_forward\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_forward(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 23
-\fBvoid\ \fBlwres_buffer_back\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_back(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 36
-\fBlwres_uint8_t\ \fBlwres_buffer_getuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *b);"
 .HP 27
-\fBvoid\ \fBlwres_buffer_putuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint8_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *b, lwres_uint8_t\ val);"
 .HP 38
-\fBlwres_uint16_t\ \fBlwres_buffer_getuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *b);"
 .HP 28
-\fBvoid\ \fBlwres_buffer_putuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint16_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *b, lwres_uint16_t\ val);"
 .HP 38
-\fBlwres_uint32_t\ \fBlwres_buffer_getuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *b);"
 .HP 28
-\fBvoid\ \fBlwres_buffer_putuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint32_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *b, lwres_uint32_t\ val);"
 .HP 25
-\fBvoid\ \fBlwres_buffer_putmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBconst\ unsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_putmem(lwres_buffer_t\ *b, const\ unsigned\ char\ *base, unsigned\ int\ length);"
 .HP 25
-\fBvoid\ \fBlwres_buffer_getmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_getmem(lwres_buffer_t\ *b, unsigned\ char\ *base, unsigned\ int\ length);"
 .SH "DESCRIPTION"
 .PP
 These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
@@ -89,6 +92,8 @@ The
 \fIactive region\fR
 is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
 .PP
+.sp
+.RS 3n
 .nf
    /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
    /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
@@ -107,11 +112,13 @@ is an (optional) subregion of the remaining region. It extends from the current
   b\-d == remaining region.
   b\-c == optional active region.
 .fi
+.RE
 .sp
 .PP
 \fBlwres_buffer_init()\fR
 initializes the
-\fBlwres_buffer_t\fR\fI*b\fR
+\fBlwres_buffer_t\fR
+\fI*b\fR
 and assocates it with the memory region of size
 \fIlength\fR
 bytes starting at location
@@ -209,3 +216,5 @@ bytes of memory from
 \fIb\fR
 to
 \fIbase\fR.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_buffer.html b/contrib/bind-9.3/lib/lwres/man/lwres_buffer.html
index 5a203f1a15..9443fbda1e 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_buffer.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_buffer.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.8 2005/10/13 02:33:55 marka Exp $ -->
+<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.10 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
@@ -49,18 +49,31 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -72,6 +85,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -87,26 +105,47 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_clear</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_first</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -118,6 +157,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -133,18 +177,31 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 lwres_uint8_t
 <b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -156,18 +213,31 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 lwres_uint16_t
 <b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -179,18 +249,31 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -202,6 +285,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -222,6 +310,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -242,6 +335,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -249,7 +347,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526109"></a><h2>DESCRIPTION</h2>
+<a name="id2549674"></a><h2>DESCRIPTION</h2>
 <p>
 These functions provide bounds checked access to a region of memory
 where data is being read or written.
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_config.3 b/contrib/bind-9.3/lib/lwres/man/lwres_config.3
index 9430283751..0a23923514 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_config.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_config.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.12.2.1.8.5 2005/10/13 02:33:58 marka Exp $
+.\" $Id: lwres_config.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_config
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,15 +36,15 @@ lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_con
 #include <lwres/lwres.h>
 .fi
 .HP 21
-\fBvoid\ \fBlwres_conf_init\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "void lwres_conf_init(lwres_context_t\ *ctx);"
 .HP 22
-\fBvoid\ \fBlwres_conf_clear\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "void lwres_conf_clear(lwres_context_t\ *ctx);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_conf_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *filename\fR\fB);\fR
+.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *ctx, const\ char\ *filename);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_conf_print\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBFILE\ *fp\fR\fB);\fR
+.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *ctx, FILE\ *fp);"
 .HP 30
-\fBlwres_conf_t\ *\ \fBlwres_conf_get\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *ctx);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_conf_init()\fR
@@ -70,7 +73,8 @@ prints the
 structure for resolver context
 \fIctx\fR
 to the
-\fBFILE\fR\fIfp\fR.
+\fBFILE\fR
+\fIfp\fR.
 .SH "RETURN VALUES"
 .PP
 \fBlwres_conf_parse()\fR
@@ -95,3 +99,5 @@ unless an error occurred when converting the network addresses to a numeric host
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_config.html b/contrib/bind-9.3/lib/lwres/man/lwres_config.html
index 7ea416b62b..339a487843 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_config.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_config.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.4.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
+<!-- $Id: lwres_config.html,v 1.4.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
@@ -31,22 +31,38 @@
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_init</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_clear</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -58,6 +74,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -73,22 +94,35 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
+<tr>
 <td><code class="funcdef">
 lwres_conf_t *
 <b class="fsfunc">lwres_conf_get</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525910"></a><h2>DESCRIPTION</h2>
+<a name="id2549475"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_conf_init()</code>
 creates an empty
@@ -125,7 +159,7 @@ to the
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525981"></a><h2>RETURN VALUES</h2>
+<a name="id2549546"></a><h2>RETURN VALUES</h2>
 <p>
 <code class="function">lwres_conf_parse()</code>
 returns
@@ -150,14 +184,14 @@ If this happens, the function returns
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526021"></a><h2>SEE ALSO</h2>
+<a name="id2549586"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
 <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526048"></a><h2>FILES</h2>
+<a name="id2549612"></a><h2>FILES</h2>
 <p>
 <code class="filename">/etc/resolv.conf</code>
 </p>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_context.3 b/contrib/bind-9.3/lib/lwres/man/lwres_context.3
index be8cd38708..ba68e408cc 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_context.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_context.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.13.2.2.2.6 2005/10/13 02:33:52 marka Exp $
+.\" $Id: lwres_context.3,v 1.13.2.2.2.7 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_context
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,19 +36,19 @@ lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_con
 #include <lwres/lwres.h>
 .fi
 .HP 36
-\fBlwres_result_t\ \fBlwres_context_create\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB, \fR\fBvoid\ *arg\fR\fB, \fR\fBlwres_malloc_t\ malloc_function\fR\fB, \fR\fBlwres_free_t\ free_function\fR\fB);\fR
+.BI "lwres_result_t lwres_context_create(lwres_context_t\ **contextp, void\ *arg, lwres_malloc_t\ malloc_function, lwres_free_t\ free_function);"
 .HP 37
-\fBlwres_result_t\ \fBlwres_context_destroy\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB);\fR
+.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **contextp);"
 .HP 30
-\fBvoid\ \fBlwres_context_initserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ serial\fR\fB);\fR
+.BI "void lwres_context_initserial(lwres_context_t\ *ctx, lwres_uint32_t\ serial);"
 .HP 40
-\fBlwres_uint32_t\ \fBlwres_context_nextserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *ctx);"
 .HP 27
-\fBvoid\ \fBlwres_context_freemem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *mem\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
+.BI "void lwres_context_freemem(lwres_context_t\ *ctx, void\ *mem, size_t\ len);"
 .HP 28
-\fBvoid\ \fBlwres_context_allocmem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
+.BI "void lwres_context_allocmem(lwres_context_t\ *ctx, size_t\ len);"
 .HP 30
-\fBvoid\ *\ \fBlwres_context_sendrecv\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *sendbase\fR\fB, \fR\fBint\ sendlen\fR\fB, \fR\fBvoid\ *recvbase\fR\fB, \fR\fBint\ recvlen\fR\fB, \fR\fBint\ *recvd_len\fR\fB);\fR
+.BI "void * lwres_context_sendrecv(lwres_context_t\ *ctx, void\ *sendbase, int\ sendlen, void\ *recvbase, int\ recvlen, int\ *recvd_len);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_context_create()\fR
@@ -159,3 +162,5 @@ times out waiting for a response.
 \fBlwres_conf_init\fR(3),
 \fBmalloc\fR(3),
 \fBfree\fR(3 ).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_context.html b/contrib/bind-9.3/lib/lwres/man/lwres_context.html
index 8988c5dc10..6f7fbecec2 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_context.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_context.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.5.2.2.2.10 2005/10/13 02:33:55 marka Exp $ -->
+<!-- $Id: lwres_context.html,v 1.5.2.2.2.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
@@ -52,18 +52,31 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_context_destroy</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -75,18 +88,31 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_context_nextserial</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -103,6 +129,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -118,6 +149,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -153,6 +189,11 @@ void *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -160,7 +201,7 @@ void *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525975"></a><h2>DESCRIPTION</h2>
+<a name="id2549540"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_context_create()</code>
 creates a
@@ -290,7 +331,7 @@ returned in
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526156"></a><h2>RETURN VALUES</h2>
+<a name="id2549789"></a><h2>RETURN VALUES</h2>
 <p>
 <code class="function">lwres_context_create()</code>
 returns
@@ -321,7 +362,7 @@ times out waiting for a response.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526208"></a><h2>SEE ALSO</h2>
+<a name="id2549841"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gabn.3 b/contrib/bind-9.3/lib/lwres/man/lwres_gabn.3
index 60a56fe46b..593ebc5cb3 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gabn.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gabn.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.13.2.1.8.5 2005/10/13 02:33:52 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gabn
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lw
 #include <lwres/lwres.h>
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_gabnrequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *ctx, lwres_gabnrequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 41
-\fBlwres_result_t\ \fBlwres_gabnresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *ctx, lwres_gabnresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_gabnrequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnrequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_gabnresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_gabnresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_gabnresponse_free(lwres_context_t\ *ctx, lwres_gabnresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_gabnrequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_gabnrequest_free(lwres_context_t\ *ctx, lwres_gabnrequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
@@ -57,6 +60,7 @@ There are four main functions for the getaddrbyname opcode. One render function
 These structures are defined in
 \fI<lwres/lwres.h>\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 typedef struct lwres_addr lwres_addr_t;
@@ -80,6 +84,7 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 .fi
+.RE
 .sp
 .PP
 \fBlwres_gabnrequest_render()\fR
@@ -133,7 +138,8 @@ structures referenced via
 .PP
 The getaddrbyname opcode functions
 \fBlwres_gabnrequest_render()\fR,
-\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR
+\fBlwres_gabnresponse_render()\fR
+\fBlwres_gabnrequest_parse()\fR
 and
 \fBlwres_gabnresponse_parse()\fR
 all return
@@ -164,3 +170,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3 )
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gabn.html b/contrib/bind-9.3/lib/lwres/man/lwres_gabn.html
index 771394508a..fce25c5170 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gabn.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gabn.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
+<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
@@ -52,6 +52,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -77,6 +82,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -102,6 +112,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -127,6 +142,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -142,6 +162,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -157,6 +182,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -164,7 +194,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525963"></a><h2>DESCRIPTION</h2>
+<a name="id2549528"></a><h2>DESCRIPTION</h2>
 <p>
 These are low-level routines for creating and parsing
 lightweight resolver name-to-address lookup request and 
@@ -279,7 +309,7 @@ structures is also discarded.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526155"></a><h2>RETURN VALUES</h2>
+<a name="id2549720"></a><h2>RETURN VALUES</h2>
 <p>
 The getaddrbyname opcode functions
 <code class="function">lwres_gabnrequest_render()</code>, 
@@ -317,7 +347,7 @@ indicate that the packet is not a response to an earlier query.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526220"></a><h2>SEE ALSO</h2>
+<a name="id2549853"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
 )</span>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.3
index 388c59e0f1..e6efcd09a8 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.5 2005/10/13 02:33:52 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gai_strerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,48 +36,48 @@ gai_strerror \- print suitable error string
 #include <lwres/netdb.h>
 .fi
 .HP 20
-\fBchar\ *\ \fBgai_strerror\fR\fR\fB(\fR\fBint\ ecode\fR\fB);\fR
+.BI "char * gai_strerror(int\ ecode);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_gai_strerror()\fR
 returns an error message corresponding to an error code returned by
 \fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
 \fIinclude/lwres/netdb.h\fR.
-.TP
+.TP 3n
 \fBEAI_ADDRFAMILY\fR
 address family for hostname not supported
-.TP
+.TP 3n
 \fBEAI_AGAIN\fR
 temporary failure in name resolution
-.TP
+.TP 3n
 \fBEAI_BADFLAGS\fR
 invalid value for
 \fBai_flags\fR
-.TP
+.TP 3n
 \fBEAI_FAIL\fR
 non\-recoverable failure in name resolution
-.TP
+.TP 3n
 \fBEAI_FAMILY\fR
 \fBai_family\fR
 not supported
-.TP
+.TP 3n
 \fBEAI_MEMORY\fR
 memory allocation failure
-.TP
+.TP 3n
 \fBEAI_NODATA\fR
 no address associated with hostname
-.TP
+.TP 3n
 \fBEAI_NONAME\fR
 hostname or servname not provided, or not known
-.TP
+.TP 3n
 \fBEAI_SERVICE\fR
 servname not supported for
 \fBai_socktype\fR
-.TP
+.TP 3n
 \fBEAI_SOCKTYPE\fR
 \fBai_socktype\fR
 not supported
-.TP
+.TP 3n
 \fBEAI_SYSTEM\fR
 system error returned in errno
 The message
@@ -97,3 +100,5 @@ used by
 \fBlwres_getaddrinfo\fR(3),
 \fBgetaddrinfo\fR(3),
 \fBRFC2133\fR().
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.html
index 5506564197..4b244e3c8c 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gai_strerror.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>gai_strerror &#8212; print suitable error string</p>
@@ -37,7 +37,7 @@ char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525843"></a><h2>DESCRIPTION</h2>
+<a name="id2549408"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_gai_strerror()</code>
 returns an error message corresponding to an error code returned by
@@ -109,7 +109,7 @@ used by
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526040"></a><h2>SEE ALSO</h2>
+<a name="id2549605"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.3
index df1390a95e..fe52cd52cf 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.6 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.7 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getaddrinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,13 +36,14 @@ lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and se
 #include <lwres/netdb.h>
 .fi
 .HP 22
-\fBint\ \fBlwres_getaddrinfo\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBconst\ char\ *servname\fR\fB, \fR\fBconst\ struct\ addrinfo\ *hints\fR\fB, \fR\fBstruct\ addrinfo\ **res\fR\fB);\fR
+.BI "int lwres_getaddrinfo(const\ char\ *hostname, const\ char\ *servname, const\ struct\ addrinfo\ *hints, struct\ addrinfo\ **res);"
 .HP 24
-\fBvoid\ \fBlwres_freeaddrinfo\fR\fR\fB(\fR\fBstruct\ addrinfo\ *ai\fR\fB);\fR
+.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *ai);"
 .PP
 If the operating system does not provide a
 \fBstruct addrinfo\fR, the following structure is used:
 .sp
+.RS 3n
 .nf
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
@@ -52,6 +56,7 @@ struct  addrinfo {
         struct addrinfo *ai_next;       /* next structure in linked list */
 };
 .fi
+.RE
 .sp
 .SH "DESCRIPTION"
 .PP
@@ -77,13 +82,13 @@ is either a decimal port number or a service name as listed in
 is an optional pointer to a
 \fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
 \fI*hints\fR:
-.TP
+.TP 3n
 \fBai_family\fR
 The protocol family that should be used. When
 \fBai_family\fR
 is set to
 \fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.TP
+.TP 3n
 \fBai_socktype\fR
 denotes the type of socket \(em
 \fBSOCK_STREAM\fR,
@@ -93,12 +98,12 @@ or
 \(em that is wanted. When
 \fBai_socktype\fR
 is zero the caller will accept any socket type.
-.TP
+.TP 3n
 \fBai_protocol\fR
 indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
 \fBai_protocol\fR
 is zero the caller will accept any protocol.
-.TP
+.TP 3n
 \fBai_flags\fR
 Flag bits. If the
 \fBAI_CANONNAME\fR
@@ -209,7 +214,8 @@ if an error occurs. If both
 and
 \fIservname\fR
 are
-\fBNULL\fR\fBlwres_getaddrinfo()\fR
+\fBNULL\fR
+\fBlwres_getaddrinfo()\fR
 returns
 \fBEAI_NONAME\fR.
 .SH "SEE ALSO"
@@ -225,3 +231,5 @@ returns
 \fBsendto\fR(2),
 \fBsendmsg\fR(2),
 \fBsocket\fR(2).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.html
index bc84e74f5c..375c319c9c 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.10 2005/10/13 02:33:56 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
@@ -52,18 +52,31 @@ int
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 </div>
 <p>
 If the operating system does not provide a
@@ -87,7 +100,7 @@ struct  addrinfo {
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525883"></a><h2>DESCRIPTION</h2>
+<a name="id2549448"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_getaddrinfo()</code>
 is used to get a list of IP addresses and port numbers for host
@@ -284,7 +297,7 @@ created by a call to
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526309"></a><h2>RETURN VALUES</h2>
+<a name="id2549874"></a><h2>RETURN VALUES</h2>
 <p>
 <code class="function">lwres_getaddrinfo()</code>
 returns zero on success or one of the error codes listed in
@@ -304,7 +317,7 @@ returns
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526347"></a><h2>SEE ALSO</h2>
+<a name="id2549912"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.3 b/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.3
index 99dc5338e5..6fe933d753 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gethostent
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,27 +36,27 @@ lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent
 #include <lwres/netdb.h>
 .fi
 .HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname(const\ char\ *name);"
 .HP 38
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname2\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname2(const\ char\ *name, int\ af);"
 .HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *addr, int\ len, int\ type);"
 .HP 34
-\fBstruct\ hostent\ *\ \fBlwres_gethostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "struct hostent * lwres_gethostent(void);"
 .HP 22
-\fBvoid\ \fBlwres_sethostent\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
+.BI "void lwres_sethostent(int\ stayopen);"
 .HP 22
-\fBvoid\ \fBlwres_endhostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "void lwres_endhostent(void);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname_r\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *name, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr_r\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *addr, int\ len, int\ type, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 36
-\fBstruct\ hostent\ *\ \fBlwres_gethostent_r\fR\fR\fB(\fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 24
-\fBvoid\ \fBlwres_sethostent_r\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
+.BI "void lwres_sethostent_r(int\ stayopen);"
 .HP 24
-\fBvoid\ \fBlwres_endhostent_r\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "void lwres_endhostent_r(void);"
 .SH "DESCRIPTION"
 .PP
 These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
@@ -63,6 +66,7 @@ functions provided by most operating systems. They use a
 which is usually defined in
 \fI<namedb.h>\fR.
 .sp
+.RS 3n
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -73,25 +77,26 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 .fi
+.RE
 .sp
 .PP
 The members of this structure are:
-.TP
+.TP 3n
 \fBh_name\fR
 The official (canonical) name of the host.
-.TP
+.TP 3n
 \fBh_aliases\fR
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
+.TP 3n
 \fBh_addrtype\fR
 The type of address being returned \(em
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP
+.TP 3n
 \fBh_length\fR
 The length of the address in bytes.
-.TP
+.TP 3n
 \fBh_addr_list\fR
 A
 \fBNULL\fR
@@ -217,16 +222,16 @@ return NULL to indicate an error. In this case the global variable
 \fBlwres_h_errno\fR
 will contain one of the following error codes defined in
 \fI<lwres/netdb.h>\fR:
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 The host or address was not found.
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 A non\-recoverable error occurred.
-.TP
+.TP 3n
 \fBNO_DATA\fR
 The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
 .PP
@@ -286,3 +291,5 @@ The resolver daemon does not currently support any non\-DNS name services such a
 \fI/etc/hosts\fR
 or
 \fBNIS\fR, consequently the above functions don't, either.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.html b/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.html
index 263f993236..fefc67b886 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gethostent.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.8 2005/10/13 02:33:56 marka Exp $ -->
+<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.10 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
@@ -31,14 +31,22 @@
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
+<tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
@@ -50,6 +58,11 @@ struct hostent *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -70,6 +83,11 @@ struct hostent *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -109,6 +127,11 @@ struct hostent *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -149,6 +172,11 @@ struct hostent  *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -174,6 +202,11 @@ struct hostent  *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -187,7 +220,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526041"></a><h2>DESCRIPTION</h2>
+<a name="id2549606"></a><h2>DESCRIPTION</h2>
 <p>
 These functions provide hostname-to-address and
 address-to-hostname lookups by means of the lightweight resolver.
@@ -324,7 +357,7 @@ calls to <code class="function">lwres_gethostbyaddr_r()</code> return
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526380"></a><h2>RETURN VALUES</h2>
+<a name="id2550013"></a><h2>RETURN VALUES</h2>
 <p>
 The functions
 <code class="function">lwres_gethostbyname()</code>,
@@ -391,7 +424,7 @@ hostent</span>.  If <em class="parameter"><code>buf</code></em> was too small, b
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526540"></a><h2>SEE ALSO</h2>
+<a name="id2550173"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
@@ -402,7 +435,7 @@ hostent</span>.  If <em class="parameter"><code>buf</code></em> was too small, b
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526644"></a><h2>BUGS</h2>
+<a name="id2550209"></a><h2>BUGS</h2>
 <p>
 <code class="function">lwres_gethostbyname()</code>,
 <code class="function">lwres_gethostbyname2()</code>,
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.3 b/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.3
index d83758c5ac..f7ab62b581 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.6 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.7 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getipnode
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,11 +36,11 @@ lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight r
 #include <lwres/netdb.h>
 .fi
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ flags\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
+.BI "struct hostent * lwres_getipnodebyname(const\ char\ *name, int\ af, int\ flags, int\ *error_num);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyaddr\fR\fR\fB(\fR\fBconst\ void\ *src\fR\fB, \fR\fBsize_t\ len\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
+.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *src, size_t\ len, int\ af, int\ *error_num);"
 .HP 23
-\fBvoid\ \fBlwres_freehostent\fR\fR\fB(\fR\fBstruct\ hostent\ *he\fR\fB);\fR
+.BI "void lwres_freehostent(struct\ hostent\ *he);"
 .SH "DESCRIPTION"
 .PP
 These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
@@ -47,6 +50,7 @@ They use a
 which is defined in
 \fInamedb.h\fR:
 .sp
+.RS 3n
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -57,25 +61,26 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 .fi
+.RE
 .sp
 .PP
 The members of this structure are:
-.TP
+.TP 3n
 \fBh_name\fR
 The official (canonical) name of the host.
-.TP
+.TP 3n
 \fBh_aliases\fR
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
+.TP 3n
 \fBh_addrtype\fR
 The type of address being returned \- usually
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP
+.TP 3n
 \fBh_length\fR
 The length of the address in bytes.
-.TP
+.TP 3n
 \fBh_addr_list\fR
 A
 \fBNULL\fR
@@ -88,20 +93,20 @@ for the hostname
 \fIname\fR. The
 \fIflags\fR
 parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.TP
+.TP 3n
 \fBAI_V4MAPPED\fR
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.TP
+.TP 3n
 \fBAI_ALL\fR
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.TP
+.TP 3n
 \fBAI_ADDRCONFIG\fR
 Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.TP
+.TP 3n
 \fBAI_DEFAULT\fR
 This default sets the
 \fBAI_V4MAPPED\fR
@@ -145,16 +150,16 @@ to an appropriate error code and the function returns a
 \fBNULL\fR
 pointer. The error codes and their meanings are defined in
 \fI<lwres/netdb.h>\fR:
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 No such host is known.
-.TP
+.TP 3n
 \fBNO_ADDRESS\fR
 The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 An unexpected failure occurred, and retrying the request is pointless.
 .PP
@@ -168,3 +173,5 @@ translates these error codes to suitable error messages.
 \fBlwres_getaddrinfo\fR(3),
 \fBlwres_getnameinfo\fR(3),
 \fBlwres_hstrerror\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.html b/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.html
index c5038b4f5a..779da90673 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getipnode.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.9 2005/10/13 02:33:56 marka Exp $ -->
+<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
@@ -52,6 +52,11 @@ struct hostent *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -77,22 +82,35 @@ struct hostent *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freehostent</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525896"></a><h2>DESCRIPTION</h2>
+<a name="id2549461"></a><h2>DESCRIPTION</h2>
 <p>
 These functions perform thread safe, protocol independent
 nodename-to-address and address-to-nodename 
@@ -233,7 +251,7 @@ structure itself.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526131"></a><h2>RETURN VALUES</h2>
+<a name="id2549832"></a><h2>RETURN VALUES</h2>
 <p>
 If an error occurs,
 <code class="function">lwres_getipnodebyname()</code>
@@ -279,7 +297,7 @@ translates these error codes to suitable error messages.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526290"></a><h2>SEE ALSO</h2>
+<a name="id2549923"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.3
index 853c2b9bb9..a9af04be54 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getnameinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,7 +36,7 @@ lwres_getnameinfo \- lightweight resolver socket address structure to hostname a
 #include <lwres/netdb.h>
 .fi
 .HP 22
-\fBint\ \fBlwres_getnameinfo\fR\fR\fB(\fR\fBconst\ struct\ sockaddr\ *sa\fR\fB, \fR\fBsize_t\ salen\fR\fB, \fR\fBchar\ *host\fR\fB, \fR\fBsize_t\ hostlen\fR\fB, \fR\fBchar\ *serv\fR\fB, \fR\fBsize_t\ servlen\fR\fB, \fR\fBint\ flags\fR\fB);\fR
+.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *sa, size_t\ salen, char\ *host, size_t\ hostlen, char\ *serv, size_t\ servlen, int\ flags);"
 .SH "DESCRIPTION"
 .PP
 This function is equivalent to the
@@ -41,7 +44,8 @@ This function is equivalent to the
 function defined in RFC2133.
 \fBlwres_getnameinfo()\fR
 returns the hostname for the
-\fBstruct sockaddr\fR\fIsa\fR
+\fBstruct sockaddr\fR
+\fIsa\fR
 which is
 \fIsalen\fR
 bytes long. The hostname is of length
@@ -64,19 +68,19 @@ bytes long. The maximum length of the service name is
 The
 \fIflags\fR
 argument sets the following bits:
-.TP
+.TP 3n
 \fBNI_NOFQDN\fR
 A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.TP
+.TP 3n
 \fBNI_NUMERICHOST\fR
 Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.TP
+.TP 3n
 \fBNI_NAMEREQD\fR
 A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.TP
+.TP 3n
 \fBNI_NUMERICSERV\fR
 The service name is returned as a digit string representing the port number.
-.TP
+.TP 3n
 \fBNI_DGRAM\fR
 Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
 .SH "RETURN VALUES"
@@ -96,3 +100,5 @@ returns 0 on success or a non\-zero error code if an error occurs.
 RFC2133 fails to define what the nonzero return values of
 \fBgetnameinfo\fR(3)
 are.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.html
index 6e7a7b1665..3111730125 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getnameinfo.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.9 2005/10/13 02:33:56 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and service name</p>
@@ -67,6 +67,11 @@ int
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -74,7 +79,7 @@ int
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525862"></a><h2>DESCRIPTION</h2>
+<a name="id2549427"></a><h2>DESCRIPTION</h2>
 <p> This function is equivalent to the <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
 <code class="function">lwres_getnameinfo()</code> returns the hostname for the
 <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which is
@@ -125,14 +130,14 @@ TCP.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525988"></a><h2>RETURN VALUES</h2>
+<a name="id2549553"></a><h2>RETURN VALUES</h2>
 <p>
 <code class="function">lwres_getnameinfo()</code>
 returns 0 on success or a non-zero error code if an error occurs.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526001"></a><h2>SEE ALSO</h2>
+<a name="id2549634"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
 <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
@@ -143,7 +148,7 @@ returns 0 on success or a non-zero error code if an error occurs.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526059"></a><h2>BUGS</h2>
+<a name="id2549692"></a><h2>BUGS</h2>
 <p>
 RFC2133 fails to define what the nonzero return values of
 <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.3
index 6d900f864f..1aeca283cd 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getrrsetbyname
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Oct 18, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,12 +36,13 @@ lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
 #include <lwres/netdb.h>
 .fi
 .HP 25
-\fBint\ \fBlwres_getrrsetbyname\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBunsigned\ int\ rdclass\fR\fB, \fR\fBunsigned\ int\ rdtype\fR\fB, \fR\fBunsigned\ int\ flags\fR\fB, \fR\fBstruct\ rrsetinfo\ **res\fR\fB);\fR
+.BI "int lwres_getrrsetbyname(const\ char\ *hostname, unsigned\ int\ rdclass, unsigned\ int\ rdtype, unsigned\ int\ flags, struct\ rrsetinfo\ **res);"
 .HP 21
-\fBvoid\ \fBlwres_freerrset\fR\fR\fB(\fR\fBstruct\ rrsetinfo\ *rrset\fR\fB);\fR
+.BI "void lwres_freerrset(struct\ rrsetinfo\ *rrset);"
 .PP
 The following structures are used:
 .sp
+.RS 3n
 .nf
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
@@ -56,6 +60,7 @@ struct  rrsetinfo {
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };
 .fi
+.RE
 .sp
 .SH "DESCRIPTION"
 .PP
@@ -115,22 +120,24 @@ created by a call to
 .PP
 \fBlwres_getrrsetbyname()\fR
 returns zero on success, and one of the following error codes if an error occurred:
-.TP
+.TP 3n
 \fBERRSET_NONAME\fR
 the name does not exist
-.TP
+.TP 3n
 \fBERRSET_NODATA\fR
 the name exists, but does not have data of the desired type
-.TP
+.TP 3n
 \fBERRSET_NOMEMORY\fR
 memory could not be allocated
-.TP
+.TP 3n
 \fBERRSET_INVAL\fR
 a parameter is invalid
-.TP
+.TP 3n
 \fBERRSET_FAIL\fR
 other failure
-.TP
+.TP 3n
 .SH "SEE ALSO"
 .PP
 \fBlwres\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.html
index f36a1d21d9..6cbed6fafe 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
@@ -57,18 +57,31 @@ int
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
+<tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freerrset</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
-</tr></table>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr>
+</table>
 </div>
 <p>
 The following structures are used:
@@ -95,7 +108,7 @@ struct  rrsetinfo {
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525878"></a><h2>DESCRIPTION</h2>
+<a name="id2549443"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_getrrsetbyname()</code>
 gets a set of resource records associated with a
@@ -172,7 +185,7 @@ created by a call to
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526058"></a><h2>RETURN VALUES</h2>
+<a name="id2549623"></a><h2>RETURN VALUES</h2>
 <p>
 <code class="function">lwres_getrrsetbyname()</code>
 returns zero on success, and one of the following error
@@ -208,7 +221,7 @@ other failure
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526132"></a><h2>SEE ALSO</h2>
+<a name="id2549697"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
 </p>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gnba.3 b/contrib/bind-9.3/lib/lwres/man/lwres_gnba.3
index 58047ce6b5..dc546d2ab2 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gnba.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gnba.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.13.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gnba
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lw
 #include <lwres/lwres.h>
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_gnbarequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 41
-\fBlwres_result_t\ \fBlwres_gnbaresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_gnbarequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbarequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_gnbaresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbaresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_gnbaresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_gnbaresponse_free(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_gnbarequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_gnbarequest_free(lwres_context_t\ *ctx, lwres_gnbarequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
@@ -57,6 +60,7 @@ to the canonical format. This is complemented by a parse function which converts
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 typedef struct {
@@ -74,6 +78,7 @@ typedef struct {
         size_t          baselen;
 } lwres_gnbaresponse_t;
 .fi
+.RE
 .sp
 .PP
 \fBlwres_gnbarequest_render()\fR
@@ -127,7 +132,8 @@ structures referenced via
 .PP
 The getnamebyaddr opcode functions
 \fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR
+\fBlwres_gnbaresponse_render()\fR
+\fBlwres_gnbarequest_parse()\fR
 and
 \fBlwres_gnbaresponse_parse()\fR
 all return
@@ -158,3 +164,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_gnba.html b/contrib/bind-9.3/lib/lwres/man/lwres_gnba.html
index 89cf35e02c..4d07580fd0 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_gnba.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_gnba.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
@@ -39,25 +39,31 @@
 lwres_result_t
 <b class="fsfunc">lwres_gnbarequest_render</b>
 (</code></td>
-<td>lwres_context_t * </td>
+<td> </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td>lwres_gnbarequest_t * </td>
+<td> </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td>lwres_lwpacket_t * </td>
+<td> </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td>lwres_buffer_t * </td>
+<td> </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
@@ -84,6 +90,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -109,6 +120,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -134,6 +150,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -150,6 +171,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -165,6 +191,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -172,7 +203,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525975"></a><h2>DESCRIPTION</h2>
+<a name="id2549540"></a><h2>DESCRIPTION</h2>
 <p>
 These are low-level routines for creating and parsing
 lightweight resolver address-to-name lookup request and 
@@ -277,7 +308,7 @@ structures is also discarded.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526100"></a><h2>RETURN VALUES</h2>
+<a name="id2549733"></a><h2>RETURN VALUES</h2>
 <p>
 The getnamebyaddr opcode functions
 <code class="function">lwres_gnbarequest_render()</code>,
@@ -315,7 +346,7 @@ indicate that the packet is not a response to an earlier query.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526165"></a><h2>SEE ALSO</h2>
+<a name="id2549866"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
 </p>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.3
index a1ecf7c207..d6fc8f5feb 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_hstrerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,9 +36,9 @@ lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
 #include <lwres/netdb.h>
 .fi
 .HP 18
-\fBvoid\ \fBlwres_herror\fR\fR\fB(\fR\fBconst\ char\ *s\fR\fB);\fR
+.BI "void lwres_herror(const\ char\ *s);"
 .HP 29
-\fBconst\ char\ *\ \fBlwres_hstrerror\fR\fR\fB(\fR\fBint\ err\fR\fB);\fR
+.BI "const char * lwres_hstrerror(int\ err);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_herror()\fR
@@ -51,19 +54,19 @@ for the error code stored in the global variable
 \fBlwres_hstrerror()\fR
 returns an appropriate string for the error code gievn by
 \fIerr\fR. The values of the error codes and messages are as follows:
-.TP
+.TP 3n
 \fBNETDB_SUCCESS\fR
 Resolver Error 0 (no error)
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 Unknown host
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 Host name lookup failure
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 Unknown server error
-.TP
+.TP 3n
 \fBNO_DATA\fR
 No address associated with name
 .SH "RETURN VALUES"
@@ -79,3 +82,5 @@ is not a valid error code.
 .PP
 \fBherror\fR(3),
 \fBlwres_hstrerror\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.html b/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.html
index 4204a3365b..d2f1e4aa70 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_hstrerror.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
@@ -40,7 +40,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525859"></a><h2>DESCRIPTION</h2>
+<a name="id2549424"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_herror()</code> prints the string
 <em class="parameter"><code>s</code></em> on <span class="type">stderr</span> followed by the string
@@ -79,7 +79,7 @@ the error codes and messages are as follows:
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525971"></a><h2>RETURN VALUES</h2>
+<a name="id2549536"></a><h2>RETURN VALUES</h2>
 <p>
 The string <span class="errorname">Unknown resolver error</span> is returned by
 <code class="function">lwres_hstrerror()</code>
@@ -89,7 +89,7 @@ is not a valid error code.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525990"></a><h2>SEE ALSO</h2>
+<a name="id2549555"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.3 b/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.3
index 782cbafd22..6395e60099 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.5 2005/10/13 02:33:53 marka Exp $
+.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_inetntop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,7 +36,7 @@ lwres_net_ntop \- lightweight resolver IP address presentation
 #include <lwres/net.h>
 .fi
 .HP 28
-\fBconst\ char\ *\ \fBlwres_net_ntop\fR\fR\fB(\fR\fBint\ af\fR\fB, \fR\fBconst\ void\ *src\fR\fB, \fR\fBchar\ *dst\fR\fB, \fR\fBsize_t\ size\fR\fB);\fR
+.BI "const char * lwres_net_ntop(int\ af, const\ void\ *src, char\ *dst, size_t\ size);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_net_ntop()\fR
@@ -67,3 +70,5 @@ is not supported.
 \fBRFC1884\fR(),
 \fBinet_ntop\fR(3),
 \fBerrno\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.html b/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.html
index 3c794a53b4..ca5c0bd693 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_inetntop.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
@@ -52,6 +52,11 @@ const char *
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -59,7 +64,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525854"></a><h2>DESCRIPTION</h2>
+<a name="id2549419"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_net_ntop()</code> converts an IP address of
 protocol family <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212;
@@ -75,7 +80,7 @@ ASCII representation of the address.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525888"></a><h2>RETURN VALUES</h2>
+<a name="id2549452"></a><h2>RETURN VALUES</h2>
 <p>
 If successful, the function returns <em class="parameter"><code>dst</code></em>:
 a pointer to a string containing the presentation format of the
@@ -87,7 +92,7 @@ supported.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525918"></a><h2>SEE ALSO</h2>
+<a name="id2549483"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
 <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_noop.3 b/contrib/bind-9.3/lib/lwres/man/lwres_noop.3
index d2eba57659..e32c2f8020 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_noop.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_noop.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.14.2.1.8.5 2005/10/13 02:33:54 marka Exp $
+.\" $Id: lwres_noop.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_noop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lw
 #include <lwres/lwres.h>
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_nooprequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *ctx, lwres_nooprequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 41
-\fBlwres_result_t\ \fBlwres_noopresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *ctx, lwres_noopresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_nooprequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_nooprequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_noopresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_noopresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_noopresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_noopresponse_free(lwres_context_t\ *ctx, lwres_noopresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_nooprequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_nooprequest_free(lwres_context_t\ *ctx, lwres_nooprequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
@@ -61,6 +64,7 @@ to the canonical format. This is complemented by a parse function which converts
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_NOOP       0x00000000U
 typedef struct {
@@ -72,6 +76,7 @@ typedef struct {
         unsigned char   *data;
 } lwres_noopresponse_t;
 .fi
+.RE
 .sp
 Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
 .PP
@@ -126,7 +131,8 @@ structures referenced via
 .PP
 The no\-op opcode functions
 \fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR
+\fBlwres_noopresponse_render()\fR
+\fBlwres_nooprequest_parse()\fR
 and
 \fBlwres_noopresponse_parse()\fR
 all return
@@ -157,3 +163,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3 )
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_noop.html b/contrib/bind-9.3/lib/lwres/man/lwres_noop.html
index 261bac802f..145bcac084 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_noop.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_noop.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.7.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_noop.html,v 1.7.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
@@ -53,6 +53,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -78,6 +83,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -103,6 +113,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -128,6 +143,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -143,6 +163,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -158,6 +183,11 @@ void
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -165,7 +195,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525963"></a><h2>DESCRIPTION</h2>
+<a name="id2549528"></a><h2>DESCRIPTION</h2>
 <p>
 These are low-level routines for creating and parsing
 lightweight resolver no-op request and response messages.
@@ -246,7 +276,7 @@ structures referenced via <em class="parameter"><code>structp</code></em>.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526096"></a><h2>RETURN VALUES</h2>
+<a name="id2549797"></a><h2>RETURN VALUES</h2>
 <p>
 The no-op opcode functions
 <code class="function">lwres_nooprequest_render()</code>,
@@ -285,7 +315,7 @@ indicate that the packet is not a response to an earlier query.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526160"></a><h2>SEE ALSO</h2>
+<a name="id2549861"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
 )</span>
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_packet.3 b/contrib/bind-9.3/lib/lwres/man/lwres_packet.3
index 777e0c76ee..35a8f10ca8 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_packet.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_packet.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.15.2.1.8.5 2005/10/13 02:33:54 marka Exp $
+.\" $Id: lwres_packet.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_packet
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,9 +36,9 @@ lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver
 #include <lwres/lwpacket.h>
 .fi
 .HP 43
-\fBlwres_result_t\ \fBlwres_lwpacket_renderheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
+.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
 .HP 42
-\fBlwres_result_t\ \fBlwres_lwpacket_parseheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
+.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
 .SH "DESCRIPTION"
 .PP
 These functions rely on a
@@ -43,6 +46,7 @@ These functions rely on a
 which is defined in
 \fIlwres/lwpacket.h\fR.
 .sp
+.RS 3n
 .nf
 typedef struct lwres_lwpacket lwres_lwpacket_t;
 struct lwres_lwpacket {
@@ -57,52 +61,54 @@ struct lwres_lwpacket {
         lwres_uint16_t          authlength;
 };
 .fi
+.RE
 .sp
 .PP
 The elements of this structure are:
-.TP
+.TP 3n
 \fBlength\fR
 the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBversion\fR
 the header format. There is currently only one format,
 \fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBpktflags\fR
 library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBserial\fR
 is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.TP
+.TP 3n
 \fBopcode\fR
 indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBresult\fR
 is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBrecvlength\fR
 is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.TP
+.TP 3n
 \fBauthtype\fR
 defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.TP
+.TP 3n
 \fBauthlen\fR
 gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
 .PP
 The following opcodes are currently defined:
-.TP
+.TP 3n
 \fBNOOP\fR
 Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.TP
+.TP 3n
 \fBGETADDRSBYNAME\fR
 returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.TP
+.TP 3n
 \fBGETNAMEBYADDR\fR
 return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
 .PP
 \fBlwres_lwpacket_renderheader()\fR
 transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR\fI*pkt\fR
+\fBlwres_lwpacket_t\fR
+\fI*pkt\fR
 in network byte order to the lightweight resolver buffer,
 \fI*b\fR.
 .PP
@@ -127,3 +133,5 @@ and lightweight resolver packet
 \fI*pkt\fR
 both functions return
 \fBLWRES_R_UNEXPECTEDEND\fR.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_packet.html b/contrib/bind-9.3/lib/lwres/man/lwres_packet.html
index b83fbcbf1b..32bb81ee94 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_packet.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_packet.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.8.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
+<!-- $Id: lwres_packet.html,v 1.8.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
@@ -42,6 +42,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -57,6 +62,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -64,7 +74,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525865"></a><h2>DESCRIPTION</h2>
+<a name="id2549430"></a><h2>DESCRIPTION</h2>
 <p>
 These functions rely on a
 <span class="type">struct lwres_lwpacket</span>
@@ -202,7 +212,7 @@ buffer <em class="parameter"><code>*b</code></em> to resolver packet
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526068"></a><h2>RETURN VALUES</h2>
+<a name="id2549769"></a><h2>RETURN VALUES</h2>
 <p> Successful calls to
 <code class="function">lwres_lwpacket_renderheader()</code> and
 <code class="function">lwres_lwpacket_parseheader()</code> return
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_resutil.3 b/contrib/bind-9.3/lib/lwres/man/lwres_resutil.3
index 5d4cfc050c..907706c424 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_resutil.3
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_resutil.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.14.2.1.8.5 2005/10/13 02:33:54 marka Exp $
+.\" $Id: lwres_resutil.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_resutil
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,13 +36,13 @@ lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr
 #include <lwres/lwres.h>
 .fi
 .HP 34
-\fBlwres_result_t\ \fBlwres_string_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBchar\ **c\fR\fB, \fR\fBlwres_uint16_t\ *len\fR\fB);\fR
+.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *b, char\ **c, lwres_uint16_t\ *len);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_addr_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_addr_t\ *addr\fR\fB);\fR
+.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *b, lwres_addr_t\ *addr);"
 .HP 36
-\fBlwres_result_t\ \fBlwres_getaddrsbyname\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *name\fR\fB, \fR\fBlwres_uint32_t\ addrtypes\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *ctx, const\ char\ *name, lwres_uint32_t\ addrtypes, lwres_gabnresponse_t\ **structp);"
 .HP 35
-\fBlwres_result_t\ \fBlwres_getnamebyaddr\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ addrtype\fR\fB, \fR\fBlwres_uint16_t\ addrlen\fR\fB, \fR\fBconst\ unsigned\ char\ *addr\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *ctx, lwres_uint32_t\ addrtype, lwres_uint16_t\ addrlen, const\ unsigned\ char\ *addr, lwres_gnbaresponse_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_string_parse()\fR
@@ -71,6 +74,7 @@ use the
 \fBlwres_gnbaresponse_t\fR
 structure defined below:
 .sp
+.RS 3n
 .nf
 typedef struct {
         lwres_uint32_t          flags;
@@ -85,6 +89,7 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 .fi
+.RE
 .sp
 The contents of this structure are not manipulated directly but they are controlled through the
 \fBlwres_gabn\fR(3 )
@@ -158,3 +163,5 @@ if the buffers used for sending queries and receiving replies are too small.
 .PP
 \fBlwres_buffer\fR(3),
 \fBlwres_gabn\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/contrib/bind-9.3/lib/lwres/man/lwres_resutil.html b/contrib/bind-9.3/lib/lwres/man/lwres_resutil.html
index 4cee0c7804..a9bc1eea10 100644
--- a/contrib/bind-9.3/lib/lwres/man/lwres_resutil.html
+++ b/contrib/bind-9.3/lib/lwres/man/lwres_resutil.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.9 2005/10/13 02:33:58 marka Exp $ -->
+<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
+<a name="id2482688"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
@@ -47,6 +47,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -62,6 +67,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -87,6 +97,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -117,6 +132,11 @@ lwres_result_t
 <tr>
 <td> </td>
 <td> </td>
+<td>, </td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
 <td>
 <code>)</code>;</td>
 </tr>
@@ -124,7 +144,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2525921"></a><h2>DESCRIPTION</h2>
+<a name="id2549485"></a><h2>DESCRIPTION</h2>
 <p>
 <code class="function">lwres_string_parse()</code> retrieves a DNS-encoded
 string starting the current pointer of lightweight resolver buffer
@@ -200,7 +220,7 @@ is made available through <em class="parameter"><code>*structp</code></em>.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526060"></a><h2>RETURN VALUES</h2>
+<a name="id2549693"></a><h2>RETURN VALUES</h2>
 <p>
 Successful calls to
 <code class="function">lwres_string_parse()</code>
@@ -244,7 +264,7 @@ small.
 </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2526130"></a><h2>SEE ALSO</h2>
+<a name="id2549763"></a><h2>SEE ALSO</h2>
 <p>
 <span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
diff --git a/contrib/bind-9.3/version b/contrib/bind-9.3/version
index fe47241d0a..49710d4957 100644
--- a/contrib/bind-9.3/version
+++ b/contrib/bind-9.3/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $
+# $Id: version,v 1.26.2.17.2.26.4.1 2007/01/11 05:06:25 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=3
-PATCHVER=2
-RELEASETYPE=-P
-RELEASEVER=1
+PATCHVER=4
+RELEASETYPE=
+RELEASEVER=